Privacy Commissioner investigatory powers and Federal Court remedies
Canada's federal privacy enforcement regime under the Personal Information Protection and Electronic Documents Act (PIPEDA) operates through a two-stage process: investigation by the Privacy Commissioner of Canada followed, if necessary, by remedial proceedings before the Federal Court. The Commissioner cannot impose fines or binding orders; enforcement authority rests with the court.
## Privacy Commissioner investigatory powers
The Privacy Commissioner of Canada is a quasi-judicial ombudsperson appointed under PIPEDA to receive and investigate complaints alleging contraventions of the Act's fair information principles (set out in Schedule 1 and Divisions 1 and 1.1). The Commissioner may investigate on complaint or initiate an investigation ex proprio motu where reasonable grounds exist.
Under section 12.1, the Commissioner has broad investigatory powers, including:
- Summons authority: Power to summon and enforce the appearance of persons, compel them to give oral or written evidence on oath, and produce records and things "in the same manner and to the same extent as a superior court of record."
- Audit authority: Under section 18, the Commissioner may audit an organization's personal information management practices on reasonable notice if the Commissioner has reasonable grounds to believe the organization has contravened a PIPEDA provision. The audit power includes the same summons and compulsion authority.
- Premises access: The Commissioner may enter any business premises (excluding a dwelling-house) and examine books, records, or other documents relevant to the investigation.
- Confidentiality: The Commissioner and persons acting under the Commissioner's direction are subject to strict confidentiality requirements under section 20; information obtained during investigations generally may not be disclosed except as required by the Act or in the public interest.
The Commissioner's investigation culminates in a report issued under section 13, which sets out the Commissioner's findings and may include recommendations for the organization to correct its practices.
## Compliance agreements
Under section 17.1 (added by the Digital Privacy Act, S.C. 2015, c. 32), the Commissioner may enter into a compliance agreement with an organization if the Commissioner believes on reasonable grounds that the organization has committed, is about to commit, or is likely to commit a contravention of PIPEDA. A compliance agreement may contain any terms the Commissioner considers necessary to ensure compliance.
While a compliance agreement is in effect, the Commissioner cannot apply to the Federal Court for a hearing and must suspend any pending applications covering the same matter. If the organization complies, the Commissioner withdraws any related court applications. If the organization breaches the agreement, the Commissioner may apply to the Federal Court for an order requiring compliance or for reinstatement of a court hearing.
## Federal Court remedies
PIPEDA grants no direct enforcement power to the Commissioner. Instead, section 14(1) allows a complainant to apply to the Federal Court for a hearing in respect of the complaint, but only after receiving the Commissioner's report or being notified that the investigation has been discontinued. The application must be made within one year after the report is sent, though the Court may extend this period.
Under section 15, the Commissioner may:
- Apply to the Court for a hearing (with the complainant's consent);
- Appear before the Court on behalf of the complainant; or
- With leave, appear as a party.
If the Court finds that the organization has contravened PIPEDA, section 16 authorizes the Court to:
(a) Order the organization to correct its practices, including ceasing the contravention and taking specific remedial steps;
(b) Order the organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not the Court has ordered corrective action under paragraph (a); and
(c) Award damages to the complainant, including damages for humiliation that the complainant has suffered.
The Court is instructed under section 17(1) to hear and determine applications "without delay and in a summary way" unless the Court considers it inappropriate to do so.
## No administrative monetary penalties
PIPEDA contains no general fine or administrative monetary penalty regime. Unlike EU GDPR or California CCPA enforcement, the Privacy Commissioner cannot issue fines. The only statutory penalties in PIPEDA are criminal offences under section 28 (obstructing the Commissioner) and section 29 (destroying or falsifying records with intent to evade a PIPEDA requirement), punishable by fine or imprisonment. These provisions are rarely invoked.
The primary enforcement lever is the threat of Federal Court remedies — in particular, the reputational harm of a public corrective order and the financial exposure to compensatory and humiliation damages. Canadian courts have awarded damages in PIPEDA cases ranging from nominal sums to several thousand dollars per complainant; class actions alleging systemic breaches have resulted in settlements in the millions, though such settlements typically include legal fees and claims administration costs alongside individual compensation.
Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5
Mandatory breach notification and criminal offences under PIPEDA sections 10.1–10.3
Canada's mandatory data breach notification regime under the Personal Information Protection and Electronic Documents Act (PIPEDA) took effect November 1, 2018, when Division 1.1 (sections 10.1–10.3) came into force. The regime creates three distinct legal obligations — report to the Privacy Commissioner, notify affected individuals, and maintain breach records — backed by criminal offences for knowing non-compliance.
## Reporting threshold: real risk of significant harm
An organization must report a breach of security safeguards to the Privacy Commissioner of Canada, and notify affected individuals, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual (sections 10.1(1) and 10.1(3)). A "breach of security safeguards" is defined as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organization's security safeguards referred to in clause 4.7 of Schedule 1, or from a failure to establish those safeguards.
Significant harm is defined in section 10.1(7) to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property. The list is non-exhaustive ("includes").
Section 10.1(8) specifies that the factors relevant to determining whether a breach creates a real risk of significant harm include:
(a) the sensitivity of the personal information involved in the breach; and
(b) the probability that the personal information has been, is being, or will be misused.
This is the same "real risk of significant harm" standard Alberta's Personal Information Protection Act has applied since 2010. The Office of the Privacy Commissioner of Canada has published detailed guidance on the test, which requires a fact-specific assessment for each breach.
## Reporting and notification timeline
The report to the Commissioner and notification to affected individuals must be made "as soon as feasible after the organization determines that the breach has occurred" (sections 10.1(2) and 10.1(6)). PIPEDA does not prescribe a numeric deadline (unlike GDPR's 72-hour rule), but "as soon as feasible" is a strict standard; delay must be justified by investigative necessity, not administrative convenience. The Privacy Commissioner's guidance emphasizes that organizations should report promptly once they have confirmed a breach meeting the threshold, even if the investigation is ongoing.
## Content of notification
The report to the Commissioner must contain the prescribed information set out in the Breach of Security Safeguards Regulations (SOR/2018-64) and must be made in the prescribed form and manner (section 10.1(2)). The notification to individuals must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it (section 10.1(4)).
## Notification to third parties
Under section 10.2, if an organization notifies an individual of a breach, it must also notify any other organization, government institution, or part of a government institution if the notifying organization believes the other entity may be able to reduce the risk of harm that could result from the breach or mitigate that harm. This provision enables notification to financial institutions, credit bureaus, law enforcement, or other entities that can take protective measures. Such disclosures are permitted despite clause 4.5 of Schedule 1 (the consent-for-secondary-use principle), under section 10.2(3).
## Universal record-keeping requirement
Section 10.3(1) requires an organization to keep and maintain a record of every breach of security safeguards involving personal information under its control, in accordance with any prescribed requirements. This obligation applies to every breach, whether or not it meets the "real risk of significant harm" threshold for reporting and notification. The Breach of Security Safeguards Regulations require that breach records be maintained for 24 months after the day on which the organization determines that the breach has occurred (section 6(1) of the Regulations). The record must contain any information that enables the Commissioner to verify compliance with the reporting and notification obligations under sections 10.1(1) and (3) (section 6(2) of the Regulations).
The Privacy Commissioner may, on request, require the organization to provide access to, or a copy of, the breach record (section 10.3(2)).
## Criminal offences for non-compliance
PIPEDA section 28 establishes criminal offences for knowing violations of the breach notification regime. Every organization that knowingly contravenes section 10.1 (the duty to report and notify), section 10.2 (the duty to notify third parties), or section 10.3 (the duty to maintain breach records) is guilty of an offence. The offence requires intent ("knowingly"); mere negligence or an erroneous good-faith assessment of whether a breach meets the "real risk of significant harm" threshold is not sufficient for criminal liability.
Unable to confirm as of 2026-06-01 the specific fine amounts under section 28 for breach notification offences; however, the Breach of Security Safeguards Regulations state that the breach notification provisions came into force under the Digital Privacy Act (S.C. 2015, c. 32) on November 1, 2018. The Privacy Commissioner does not directly prosecute offences under section 28; the Commissioner refers potential violations to the Attorney General of Canada, who may direct the Public Prosecution Service of Canada to proceed.
## No administrative monetary penalty regime
Unlike the European Union's GDPR or Quebec's Law 25, PIPEDA does not authorize the Privacy Commissioner to impose administrative monetary penalties (fines) for breach notification violations. The only statutory penalty mechanism is the criminal offence under section 28, which requires proof of knowing violation and prosecution by the federal Crown. This makes PIPEDA's breach notification enforcement significantly weaker than that of Quebec (which can impose administrative penalties up to CAD $10 million or 2% of worldwide turnover under Law 25) or the EU (which can impose fines up to €20 million or 4% of annual worldwide turnover under GDPR Article 83).
Source: Breach of Security Safeguards Regulations, SOR/2018-64
Individual private right of action and damages under PIPEDA section 16
PIPEDA creates a private right of action for individuals to seek judicial remedies for privacy violations, bypassing the need for direct enforcement by the Privacy Commissioner of Canada. This mechanism—unique among Canadian federal privacy statutes—allows complainants to obtain binding corrective orders and monetary damages, including damages for humiliation, from the Federal Court.
## Individual standing: section 14 application to Federal Court
Under PIPEDA section 14(1), a complainant may apply to the Federal Court for a hearing in respect of any matter referred to in the Privacy Commissioner's report after receiving the Commissioner's report or after being notified that the investigation has been discontinued. The application must be brought within one year of the date the Commissioner's report or notice of discontinuance is sent, though the Court has discretion to extend this period (section 14(2)).
A section 14 application is not a judicial review of the Commissioner's report or findings. It is a de novo hearing—a fresh proceeding in which the complainant bears the burden of proving, on a balance of probabilities, that the organization contravened PIPEDA. The Federal Court may consider evidence that was not before the Commissioner and is not bound by the Commissioner's factual findings, though it may accord the Commissioner deference on matters within the Commissioner's area of expertise.
The complainant may represent themselves or retain counsel. Under section 15, the Privacy Commissioner may, with the complainant's consent, apply to the Court for a hearing, appear on behalf of the complainant, or (with leave) appear as a party. The Commissioner has on occasion initiated Federal Court applications where organizations have refused to implement the Commissioner's recommendations.
## Remedies available: section 16
If the Federal Court finds that an organization has contravened a provision of PIPEDA (sections 5 to 10) or one of the fair information principles set out in Schedule 1, section 16 authorizes the Court to grant three categories of remedy:
(a) Corrective orders: The Court may order the organization to correct its practices to comply with PIPEDA, including by ceasing the contravention and taking specified remedial steps (e.g., implementing new safeguards, deleting improperly collected information, or ceasing an unauthorized use or disclosure).
(b) Publication orders: The Court may order the organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not the Court has made a corrective order under paragraph (a). Publication orders serve a deterrent and transparency function, imposing reputational consequences on the contravening organization.
(c) Damages: The Court may award damages to the complainant, including damages for any humiliation that the complainant has suffered. Section 16(c) expressly contemplates non-pecuniary damages, recognizing that privacy violations frequently cause dignitary harm—humiliation, distress, damage to reputation—that cannot be easily quantified but warrants compensation.
The power to award damages under section 16(c) is discretionary, not automatic upon a finding of contravention. The Court must be satisfied that an award of damages is appropriate in the circumstances and that the complainant has suffered compensable harm directly resulting from the PIPEDA breach.
## Evidentiary requirements for damages
A complainant seeking damages must file affidavit evidence establishing:
- The fact and nature of the PIPEDA contravention;
- The harm suffered (financial loss, humiliation, reputational damage, or other injury); and
- The causal connection between the contravention and the harm.
If damages are sought for humiliation, the complainant's affidavit should describe the emotional and reputational impact of the breach. Evidence of financial loss (e.g., denial of credit, loss of employment opportunity, costs incurred to mitigate harm) requires specific proof; general assertions are insufficient.
The Office of the Privacy Commissioner's guidance emphasizes that if damages are sought as a remedy, the applicant is required to file appropriate evidence to support this claim. Affidavits must be limited to facts within the personal knowledge of the individual swearing the affidavit.
## Quantum of damages: the "egregious situations" threshold
Canadian courts have awarded PIPEDA damages sparingly. The Federal Court has repeatedly emphasized that damages should be awarded only in "egregious situations"—cases involving serious breaches, sensitive information, bad faith, or deliberate disregard of privacy obligations. The leading articulation of this standard appears in Randall v. Nubodys Fitness Centres, where Justice Mosley stated that "an award of damages is not to be made lightly" and "should only be made in the most egregious situations."
Notwithstanding this restrictive approach, the Federal Court has recognized that damages may serve deterrent and vindicatory purposes under PIPEDA. Awards are justified where:
- The breach involved sensitive personal information (financial records, health information, information relating to family relationships);
- The organization acted in bad faith or attempted to cover up the breach;
- The breach caused identifiable humiliation or reputational harm to the complainant; or
- The organization failed to take prompt, reasonable steps to correct the error or mitigate harm after learning of the breach.
Unable to confirm as of 2026-06-01 the specific dollar amounts awarded in individual Federal Court damages decisions under PIPEDA section 16, including reported awards in cases such as Nammo v. TransUnion of Canada Inc. (2010) and Biron v. RBC Royal Bank (2012). The Privacy Commissioner's guidance and secondary sources indicate that awards have ranged from nominal sums to several thousand dollars per complainant in individual cases, with class action settlements for systemic breaches reaching the millions (though settlements typically include legal fees, notice costs, and claims administration alongside individual compensation). However, primary-source Federal Court decisions confirming these quantum figures are not available on the Office of the Privacy Commissioner's website or other primary-authority hosts accessible as of the date of this section.
## Costs
The Federal Court has discretion to award costs in favour of the successful party under the Federal Courts Rules. A complainant who succeeds on a section 14 application may recover a portion of their legal fees and disbursements from the respondent organization. Conversely, a complainant whose application is dismissed may be ordered to pay the organization's costs.
For self-represented litigants, case law suggests that cost awards may include disbursements and possible "opportunity costs" for time lost pursuing the application, though not compensation for lost revenue. The risk of an adverse costs award is a material consideration for complainants contemplating Federal Court litigation, particularly in cases involving factual disputes or modest alleged harm.
## No statutory damages or administrative monetary penalties
PIPEDA does not authorize statutory damages—fixed or range-based awards that do not require proof of actual harm. The Privacy Commissioner has repeatedly recommended that Parliament amend PIPEDA to introduce statutory damages for certain contraventions, similar to those available under the Copyright Act or Quebec's Law 25, to facilitate proof and deter low-level but widespread privacy violations (e.g., unauthorized marketing disclosures). As of 2026, Parliament has not enacted this reform.
Similarly, PIPEDA contains no administrative monetary penalty regime that would allow the Privacy Commissioner to impose fines directly. All monetary awards under PIPEDA flow from Federal Court orders under section 16, not from administrative decisions by the Commissioner. This distinguishes PIPEDA from the European Union's GDPR (which authorizes supervisory authorities to impose administrative fines up to €20 million or 4% of annual worldwide turnover) and from Quebec's Law 25 (which authorizes the Commission d'accès à l'information to impose administrative monetary penalties up to CAD $10 million or 2% of worldwide turnover for serious contraventions).
The combination of the "egregious situations" damages threshold, the absence of statutory damages, and the lack of administrative monetary penalties means that PIPEDA enforcement relies heavily on reputational pressure (the Commissioner's power to name organizations publicly and to issue compliance agreements) and on the threat of Federal Court corrective orders, rather than on financial penalties. This enforcement model is significantly weaker than that of most modern data-protection regimes.
Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 14–16
Class actions and representative enforcement of PIPEDA privacy breaches
PIPEDA does not expressly authorize class action certification for privacy breaches, but Canadian courts have permitted class proceedings through two distinct procedural routes: section 14 applications in Federal Court (where the court's jurisdiction to certify a class action remains untested) and breach-of-contract claims in provincial superior courts based on an implied contractual term to comply with PIPEDA. Class actions have emerged as a critical enforcement mechanism because the Privacy Commissioner of Canada lacks the power to impose administrative fines, and individual damages awards under PIPEDA section 16 are typically modest, making systemic privacy breaches uneconomical to pursue individually.
## Federal Court section 14 applications and class certification uncertainty
PIPEDA section 14(1) permits "a complainant" to apply to the Federal Court for a hearing after receiving the Privacy Commissioner's report or being notified that the investigation has been discontinued. The singular "complainant" and the statutory precondition of a Commissioner's report have raised the question whether section 14 authorizes class proceedings or contemplates only individual applications.
The Federal Court has not ruled definitively on whether it possesses jurisdiction to certify a class action under section 14. The Federal Courts Rules contain general class-proceeding provisions (Rule 334.1 et seq.), but section 14 applications are sui generis statutory proceedings, not ordinary civil actions. The jurisdictional uncertainty arises because section 14 refers to "a complainant"—singular—who has received "the Commissioner's report" on that individual's complaint. Whether the Federal Court can aggregate multiple complainants' section 14 applications into a single certified class, or whether a single complainant can represent a class of individuals who did not themselves file complaints with the Privacy Commissioner, has not been authoritatively resolved.
Unable to confirm as of 2026-06-01 whether the Federal Court has certified a class action under PIPEDA section 14 in any decided case.
## Provincial superior court class actions: breach of implied contractual term
Because the Federal Court's jurisdiction to certify PIPEDA class actions is uncertain, and because provincial superior courts lack statutory jurisdiction to hear section 14 applications (section 14 confers that power exclusively on the Federal Court), plaintiffs' counsel have pursued PIPEDA class actions in provincial superior courts by pleading breach of an implied term of the contract between the organization and the individual that the organization would comply with PIPEDA.
The implied-term theory
Every commercial relationship governed by PIPEDA—whether a customer agreement, an insurance policy, or an employment contract—creates contractual privity between the individual and the organization. Plaintiffs argue that PIPEDA imposes statutory obligations on organizations (the ten fair information principles in Schedule 1, codified through sections 5–10), and that compliance with those statutory obligations is an implied term of the contract. When the organization breaches PIPEDA, it simultaneously breaches the implied contractual term, giving rise to a provincial-law breach-of-contract claim that can support class certification under provincial class-actions legislation (Class Proceedings Act, 1992, S.O. 1992, c. 6 in Ontario; Class Proceedings Act, RSBC 1996, c 50 in British Columbia).
The plaintiff does not need to exhaust the Privacy Commissioner's complaint process or obtain the Commissioner's report before commencing a provincial-court breach-of-contract class action. The implied-term claim is a free-standing contract cause of action, not a section 14 application. This procedural route avoids both the one-year limitation period under section 14(2) (which runs from the date the Commissioner's report is sent) and the jurisdictional uncertainty surrounding Federal Court class certification.
Practical advantages and certification barriers
Provincial superior court class actions under the implied-term theory permit plaintiffs to aggregate claims from thousands of individuals affected by a systemic PIPEDA breach without requiring each class member to file an individual complaint with the Privacy Commissioner. This is the only mechanism capable of imposing aggregate monetary consequences on organizations for widespread privacy violations, given that:
- The Privacy Commissioner cannot impose fines or binding corrective orders; the Commissioner's enforcement powers are limited to investigations, non-binding recommendations, and compliance agreements under section 17.1;
- Individual section 14 damages awards in Federal Court are typically measured in thousands of dollars (or less), making individual litigation economically irrational for most complainants when weighed against legal costs and the risk of adverse cost awards; and
- PIPEDA contains no statutory damages regime—no pre-set or range-based damages that can be awarded without proof of actual harm.
However, class certification in PIPEDA cases (whether pleaded as implied breach of contract in provincial court or as a hypothetical section 14 class action in Federal Court) faces the same statutory and common-law certification requirements as any other class proceeding under provincial class-actions legislation or the Federal Courts Rules:
- An identifiable class of persons;
- Common issues of law or fact;
- A representative plaintiff whose claims raise issues common to the class;
- A workable class definition and manageable proceeding; and
- A finding that a class proceeding is the preferable procedure for resolving the claims.
Privacy breaches often affect thousands or millions of individuals, satisfying numerosity and raising common issues about the organization's practices (whether it obtained valid consent under Principle 3 of Schedule 1, whether it implemented adequate safeguards under Principle 7, whether it disclosed personal information without authority in contravention of Principle 4.3). However, damages issues—whether pleaded as PIPEDA section 16 humiliation damages or as contract damages for breach of the implied PIPEDA-compliance term—frequently require individualized inquiry into each class member's subjective experience of harm, the sensitivity of the information compromised, and steps taken to mitigate. Courts have denied certification where damages issues predominate over common liability questions, or where the range of potential harm across the proposed class is so heterogeneous that individual mini-trials would be required.
## Damages in PIPEDA class actions and the absence of statutory damages
PIPEDA class actions pleaded as breach-of-contract claims are subject to ordinary contract damages principles: the plaintiff must prove actual loss causally connected to the breach, and must mitigate. This creates significant proof problems in privacy cases, where the harm is often dignitary (humiliation, loss of control over personal information, anxiety about potential future misuse) rather than economic.
To address this barrier, plaintiffs in PIPEDA class actions often seek nominal damages for the breach itself (applicable in contract law where a legal right is violated even if no pecuniary loss is proven). Nominal damages can accumulate across thousands of class members into a settlement or judgment large enough to create financial deterrence. However, Canadian courts have not awarded substantial aggregate nominal damages in privacy class actions as a matter of course; settlement negotiations and judicial approval of settlement amounts typically turn on the strength of the liability case, the likelihood of individual class members proving compensable harm, and the costs of administering individual claims.
PIPEDA does not authorize statutory damages—pre-set or range-based damages awards that do not require proof of actual harm. The Privacy Commissioner of Canada has repeatedly recommended that Parliament amend PIPEDA to introduce statutory damages similar to those available under the Copyright Act, R.S.C. 1985, c. C-42, section 38.1 (which permits a plaintiff to elect statutory damages of CAD $500–$20,000 per work infringed, without proving actual loss). As of 2026, Parliament has not enacted this reform for PIPEDA.
The absence of statutory damages and the challenges of proving individualized harm mean that most PIPEDA class actions settle rather than proceeding to trial and judgment. Settlement amounts reflect the parties' assessment of the litigation risks, the costs of continued proceedings, and the reputational and operational consequences of protracted privacy litigation.
## No administrative monetary penalties under PIPEDA
PIPEDA enforcement relies on reputational pressure (the Commissioner's public reports and naming of non-compliant organizations), voluntary compliance agreements under section 17.1, and the threat of Federal Court corrective orders and damages under section 16. The statute does not authorize the Privacy Commissioner to impose administrative monetary penalties (fines) directly.
This distinguishes PIPEDA from:
- The European Union GDPR, which authorizes supervisory authorities to impose fines up to €20 million or 4% of annual worldwide turnover (Article 83(5)–(6));
- Quebec's provincial privacy statute, the Act respecting the protection of personal information in the private sector (CQLR c P-39.1), as amended by Law 25 (effective in stages from September 2022), which authorizes the Commission d'accès à l'information du Québec to impose administrative monetary penalties up to CAD $10 million or 2% of worldwide turnover for serious contraventions; and
- The proposed federal Consumer Privacy Protection Act (Bill C-27, introduced 2022, not yet enacted as of 2026), which would authorize a new Privacy Commissioner to impose administrative monetary penalties up to the greater of CAD $10 million or 3% of global revenue, and would create an explicit private right of action for damages (section 106).
The absence of administrative fines in PIPEDA means that class actions are the only enforcement mechanism capable of imposing aggregate monetary accountability on organizations for systemic privacy breaches affecting large populations. Without class aggregation, the gap between the Privacy Commissioner's non-binding recommendations and the modest damages recoverable in individual Federal Court section 14 applications leaves organizations with minimal financial incentive to invest in robust privacy compliance for low-value, high-volume personal information processing.
## Cross-reference: individual damages claims
For a detailed discussion of individual damages awards under PIPEDA section 16, including the "egregious situations" threshold, the evidentiary requirements for proving humiliation, and reported quantum, see Individual private right of action and damages under PIPEDA section 16.
Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 14–17.1
PIPEDA section 28 criminal offences: obstruction, breach notification violations, and prosecution by the Attorney General
PIPEDA creates a narrow criminal enforcement regime under section 28, which makes knowing contraventions of specified provisions and obstruction of the Privacy Commissioner criminal offences punishable by fine. Unlike the European Union's GDPR or Quebec's Law 25, PIPEDA does not authorize the Privacy Commissioner to impose administrative monetary penalties directly; the only financial sanctions available under the statute are the criminal fines under section 28, which require prosecution by the Public Prosecution Service of Canada and proof of knowledge or intent. Section 28 prosecutions are extremely rare in practice, and PIPEDA enforcement relies primarily on the Commissioner's investigatory powers, public reporting, compliance agreements, and the threat of Federal Court remedies.
## Elements of the section 28 offence
PIPEDA section 28 provides:
> Every organization that knowingly contravenes subsection 8(8), section 10.1 or subsection 10.3(1) or 27.1(1) or that obstructs the Commissioner or the Commissioner's delegate in the investigation of a complaint or in conducting an audit is guilty of an offence.
The offence has two distinct branches:
1. Knowing contraventions of specified statutory obligations
An organization commits an offence if it knowingly contravenes any of the following:
- Subsection 8(8): the prohibition on using an individual's Social Insurance Number as an identifier except where authorized by law.
- Section 10.1: the mandatory breach notification obligations — the duty to report to the Privacy Commissioner and notify affected individuals of breaches of security safeguards that create a real risk of significant harm, and to do so as soon as feasible after determining that the breach has occurred.
- Subsection 10.3(1): the duty to keep and maintain a record of every breach of security safeguards involving personal information under the organization's control, whether or not the breach meets the "real risk of significant harm" reporting threshold.
- Subsection 27.1(1): the duty to provide the Privacy Commissioner with any information the Commissioner may require for the purpose of carrying out the Commissioner's duties and functions under PIPEDA (added by the Digital Privacy Act, S.C. 2015, c. 32).
The mens rea requirement is knowledge: the organization must have knowingly contravened the obligation. Section 28 is not a strict-liability or absolute-liability offence. A good-faith error in assessing whether a breach meets the "real risk of significant harm" threshold under section 10.1, or a negligent failure to maintain complete breach records, does not satisfy the knowledge requirement. The Crown must prove that the organization was aware of the legal obligation and deliberately chose not to comply, or was willfully blind to the breach of the obligation.
2. Obstruction of the Privacy Commissioner
An organization commits an offence if it obstructs the Commissioner or the Commissioner's delegate in the investigation of a complaint or in conducting an audit. This branch of section 28 does not require proof that the obstruction was "knowing," though obstruction as a common-law concept generally requires intentional conduct or recklessness.
Forms of obstruction include:
- Refusing to produce records in response to a summons issued under the Commissioner's investigatory powers in section 12.1 or audit powers in section 18.
- Providing false or misleading information to the Commissioner during an investigation or audit (though such conduct may also constitute perjury under Criminal Code section 132 if made under oath).
- Denying the Commissioner or delegate access to business premises during an audit under section 18.
- Destroying, altering, or concealing records that are the subject of an investigation or audit, with intent to obstruct the Commissioner's inquiry.
The Office of the Privacy Commissioner of Canada has emphasized that organizations subject to PIPEDA must cooperate fully with investigations and audits, and that obstruction may result in a referral to the Attorney General for criminal prosecution. In practice, however, the Commissioner has rarely invoked section 28 obstruction provisions; the Commissioner's investigatory powers under section 12.1 (which include the authority to summon witnesses and compel production of documents "in the same manner and to the same extent as a superior court of record") have generally proven sufficient to secure compliance without resorting to criminal referrals.
## Penalties: dual-track summary conviction and indictable offence
Section 28 creates a dual-track or hybrid offence, meaning the Crown may elect to proceed either by summary conviction (the less serious procedure) or by indictment (the more serious procedure). The choice of procedure determines the maximum fine:
(a) If the Crown proceeds by summary conviction, the organization is liable to a fine not exceeding $10,000; or
(b) If the Crown proceeds as an indictable offence, the organization is liable to a fine not exceeding $100,000.
Section 28 does not authorize imprisonment as a penalty. The offence applies to "organizations" (which PIPEDA defines in section 2(1) to include associations, partnerships, persons, and trade unions, as well as corporations), and the penalties are exclusively monetary.
The dual-track structure gives the Crown discretion to calibrate the procedural severity and maximum penalty to the gravity of the conduct. Deliberate, sustained, or high-impact contraventions (for example, knowing failure to notify hundreds of individuals of a serious data breach, or systematic obstruction of a Commissioner audit) may proceed by indictment with exposure to the $100,000 maximum fine. Isolated, lower-impact violations may proceed summarily with the $10,000 cap.
## Per-individual liability for breach notification violations
The Government of Canada has stated its intention — in parliamentary materials accompanying the Digital Privacy Act amendments that introduced the breach notification regime in 2018 — that organizations that deliberately fail to notify individuals of breaches could be subject to a fine for every individual they failed to notify. The Office of the Privacy Commissioner has endorsed this interpretation, noting that the wording of sections 10.1(1) and 10.1(3) both refer to a breach that creates a real risk of significant harm to "an individual" or "the individual" (singular), not "individuals" collectively. Under this reading, an organization that knowingly fails to notify 1,000 affected individuals of a reportable breach could face up to 1,000 separate counts under section 28, with a maximum aggregate fine (if prosecuted by indictment) of $100 million ($100,000 × 1,000).
The Privacy Commissioner has stated that because the Commissioner does not prosecute offences under PIPEDA, practitioners seeking certainty on the application of this per-individual multiplier should contact the Public Prosecution Service of Canada and Innovation, Science and Economic Development Canada. As of 2026, no reported prosecution has tested this interpretation, and the per-individual theory remains untested in the courts.
## Prosecution by the Attorney General of Canada — not by the Privacy Commissioner
The Office of the Privacy Commissioner of Canada does not prosecute criminal offences under PIPEDA and cannot issue fines. The Commissioner's enforcement powers are limited to:
- Investigation and issuance of non-binding reports and recommendations under sections 12–13;
- Entering into compliance agreements under section 17.1;
- Applying to the Federal Court (or supporting a complainant's application) for binding corrective orders and damages under sections 14–16; and
- Referring information relating to the possible commission of an offence to the Attorney General of Canada, which may lead to prosecution by the Director of Public Prosecutions (the Public Prosecution Service of Canada).
If the Commissioner has reasonable grounds to believe that an organization has committed an offence under section 28, the Commissioner refers the matter to the federal Attorney General, who determines whether to direct a prosecution. The Crown prosecutes the offence in the ordinary criminal courts (provincial court for summary conviction proceedings, or provincial or superior court for indictable proceedings, depending on the province).
The burden of proof is the criminal standard: proof beyond a reasonable doubt. The Crown must prove that the organization knowingly contravened the specified provision or obstructed the Commissioner, and must do so to the satisfaction of a judge or (in indictable proceedings, if the accused elects) a jury. This evidentiary threshold is significantly higher than the civil standard ("balance of probabilities") that applies in Federal Court section 14 applications for damages and corrective orders.
## Rarity of section 28 prosecutions and reliance on civil enforcement
As of 2026, section 28 prosecutions are extremely rare. The Office of the Privacy Commissioner has stated publicly that criminal prosecution is not the primary enforcement mechanism under PIPEDA, and that the Commissioner's investigatory and compliance-agreement powers, combined with the threat of public reporting and Federal Court remedies, have been sufficient to secure compliance in the vast majority of cases.
The rarity of prosecutions reflects several structural features of PIPEDA's enforcement model:
- High evidentiary threshold: Proving knowledge beyond a reasonable doubt is difficult, particularly in corporate contexts where compliance decisions are diffused across multiple employees and systems.
- Modest maximum fines: Even the $100,000 indictable-offence cap (or the untested per-individual multiplier) is modest compared to the financial exposure under GDPR (fines up to €20 million or 4% of annual worldwide turnover) or Quebec Law 25 (administrative penalties up to CAD $10 million or 2% of worldwide turnover). For large multinational organizations, a $100,000 fine (or even a multi-count aggregate fine) may not create sufficient deterrence.
- Prosecutor discretion: The Public Prosecution Service of Canada must allocate limited resources among all federal offences, and privacy violations compete for attention with fraud, money laundering, terrorism financing, drug trafficking, and other traditional criminal priorities. Absent egregious conduct (deliberate cover-up of a massive breach, systematic obstruction involving destruction of records, or a pattern of recidivism), prosecutors may decline to proceed.
- Civil alternatives: The Commissioner's power to name non-compliant organizations publicly in investigation reports, to enter compliance agreements, and to support Federal Court applications for corrective orders and damages provides an enforcement pathway that does not require criminal-court proof and does not expose the organization to the stigma of a criminal conviction.
The result is that PIPEDA enforcement in practice relies on reputational pressure, voluntary compliance, and civil remedies, with section 28 criminal prosecution functioning as a reserve power for the most egregious cases of deliberate non-compliance or obstruction.
## Cross-reference: breach notification obligations
For a detailed discussion of the substantive obligations that underlie the breach notification offence under section 28 — including the "real risk of significant harm" threshold, the "as soon as feasible" timeline, the content of notifications, and the universal record-keeping requirement under section 10.3 — see Mandatory breach notification and criminal offences under PIPEDA sections 10.1–10.3.
Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, section 28