Canada — Scope & Applicability

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to every organization (including partnerships, persons, and trade unions) in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities. PIPEDA's core territorial rule is federal-provincial division: the Act applies federally except where a province has enacted substantially similar legislation.

Federal works, undertakings, and businesses always within PIPEDA scope. Under section 4(1)(a) and (b), PIPEDA applies to:

• any organization in respect of personal information about an employee of a federal work, undertaking, or business, where the organization collects, uses, or discloses that information in connection with the operation of a federal work, undertaking, or business; and
• any organization in respect of personal information that the organization collects, uses, or discloses in connection with the operation of a federal work, undertaking, or business.

Section 2(1) defines "federal work, undertaking or business" as any work, undertaking, or business that is within the legislative authority of Parliament. The definition includes: works or undertakings connecting provinces or extending beyond a province's limits; navigation, shipping, and ship transportation anywhere in Canada; railways, canals, and telegraph connecting provinces; interprovincial or international ferries; aerodromes, aircraft, and air transportation; radio and television broadcasting; banks and authorized foreign banks; grain elevators and feed warehouses declared by Parliament to be for the general advantage of Canada; uranium mining and processing; works declared by Parliament to be for the general advantage of Canada or extending beyond provincial boundaries; and works, undertakings, and businesses to which federal laws under the Oceans Act apply (section 2(1) as read with section 20 and paragraph 26(1)(k) of the Oceans Act).

Provincial limitation: section 30 carve-out for intra-provincial activity. Section 30(1) provides that PIPEDA does not apply to any organization in respect of personal information that it collects, uses, or discloses within a province whose legislature has the power to regulate the collection, use, or disclosure of the information, unless the organization:

• collects, uses, or discloses the information in connection with the operation of a federal work, undertaking, or business; or
• discloses the information outside the province for consideration (i.e., in exchange for payment or other value).

In practice, this means that provinces with substantially similar private-sector privacy legislation (currently Alberta, British Columbia, and Quebec) regulate intra-provincial commercial activity by non-federally regulated entities. The Office of the Privacy Commissioner (OPC) treats Alberta's Personal Information Protection Act (PIPA), British Columbia's PIPA, and Quebec's Act respecting the protection of personal information in the private sector (Quebec Law 25 amendments effective September 2022–September 2024) as substantially similar, and exemption orders have been issued under section 30 by the Governor in Council. Organizations that collect, use, or disclose personal information wholly within Alberta, British Columbia, or Quebec and are not federally regulated, and do not disclose the information extra-provincially for consideration, are governed by provincial law and not PIPEDA.

For all other provinces and territories, PIPEDA governs commercial activities unless the organization falls within a federal-work exemption or a specific sectoral carve-out. Section 4.01 exempts business contact information collected, used, or disclosed solely for the purpose of communicating with an individual in relation to their employment, business, or profession.

Supervisory authority. The Privacy Commissioner of Canada (appointed under section 53 of the Privacy Act) investigates complaints, issues findings, and may apply to the Federal Court for remedies under Part 1 of PIPEDA. The Commissioner has no order-making power; enforcement is via Federal Court application under sections 14 and 15.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 2(1), 4, 4.01, 30

PIPEDA applies only to personal information that an organization collects, uses, or discloses in the course of commercial activities (section 4(1)(a)). This is the threshold jurisdictional trigger; organizations that do not engage in commercial activities fall outside PIPEDA's scope unless the activity involves personal information of employees of federal works, undertakings, or businesses (section 4(1)(b)).

Statutory definition. Section 2(1) of PIPEDA defines "commercial activity" as:

> "any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."

The definition encompasses both isolated transactions and ongoing patterns of conduct, provided they possess a commercial character. The statutory inclusion of selling, bartering, or leasing donor and membership lists clarifies that non-profit organizations may engage in commercial activities even when the core mission is not profit-oriented.

"Commercial character" — the interpretive test. The Office of the Privacy Commissioner (OPC) has issued an Interpretation Bulletin on "commercial activity" that synthesizes court and tribunal findings. The central inquiry is whether the activity or conduct at issue possesses a commercial character. Courts examine the primary nature of the activity, not incidental features.

Not-for-profit status is not determinative. An organization's registration as a charity or its tax-exempt status does not automatically exempt it from PIPEDA. The OPC Interpretation Bulletin confirms that "not-for-profit organizations are not automatically exempt from PIPEDA" and that tax status alone is not determinative. The question is always whether the specific collection, use, or disclosure of personal information occurs in the course of an activity that has a commercial character.

Leading case-law principles. In State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736, the Federal Court held that the primary characterization of the activity is the dominant factor. The Court stated:

> "The primary characterization of the activity or conduct in issue is thus the dominant factor in assessing the commercial character of that activity or conduct under PIPEDA, not the incidental relationship between the one who seeks to carry out the activity or conduct and third parties."

The Court rejected a mechanical approach that would extend PIPEDA coverage to an activity simply because a third party was paid to perform it on behalf of an individual. The collection of evidence by an individual defendant in a civil tort action was held not to be a commercial activity, even where the defendant retained third-party investigators, because the primary activity (mounting a legal defense) lacked commercial character.

Activities found to lack commercial character. The OPC Interpretation Bulletin and case law identify several categories of activity that do not constitute "commercial activities" for PIPEDA purposes:

• Litigation and legal proceedings. Disclosure of information required in the context of a legal proceeding is not subject to PIPEDA; "the relationship between litigants in the context of a legal proceeding is not one that can be described as commercial" (Hatfield v. Intact Insurance Company, 2014 NSSC 232).
• Mandatory regulatory functions. In Rodgers v. Calvert, 2004 ON SC, although an association's collection of membership fees constituted an "exchange of consideration" under contract law, the court noted this alone does not establish commercial activity. The provision of mandatory professional liability insurance by LawPro (the Law Society of Upper Canada's regulatory insurer) was found not to constitute commercial activity because its principal shareholder is the Law Society and its purpose is regulatory, not profit-driven.
• Core activities of municipalities, universities, schools, and hospitals (MUSH sector). The OPC has taken the position that PIPEDA does not apply to the core activities of public MUSH-sector institutions because they are not, on the whole, engaged in "trade and commerce" as contemplated under the federal Constitution Act, 1867. Charging a fee for a service does not automatically trigger PIPEDA if the service is part of the institution's core mandate (e.g., a hospital charging for a private room or a municipality charging a per-bag garbage fee). A MUSH-sector institution may become subject to PIPEDA when it engages in a non-core commercial activity (OPC Position on MUSH sector, December 2015).

Activities found to have commercial character. The OPC Interpretation Bulletin and case law also identify activities that do constitute commercial activities:

• Independent medical examinations for insurers. A physician conducting an independent medical examination on behalf of an insurance company, for the purpose of processing a claim, is engaged in commercial activity.
• Free services within a commercial business model. An organization offering free services may be engaged in commercial activity if the free offering is part of a broader commercial business model. The OPC Interpretation Bulletin instructs that "one ought to look beyond the free aspect of the specific activity in question and consider such activity within the context of the organization's business model as a whole" (citing Reference re Subsection 18.3(1) of the Federal Courts Act, 2021 FC 723).
• Selling, bartering, or leasing donor or membership lists. Expressly included in the statutory definition. A charity or non-profit that sells or barters its donor list is engaged in commercial activity for that transaction, regardless of its tax status.
• Non-profit daycares and membership-based testing services. The OPC found that a non-profit daycare charging for child-care services was caught by PIPEDA because payment for services was a commercial activity. Similarly, the non-profit Law School Admission Council, which administers entrance exams, was found to be engaged in commercial activity despite being non-profit and membership-based.

Private educational institutions and private hospitals. The OPC has stated that private educational institutions and private hospitals are generally more clearly engaged in commercial activities and should operate on the assumption that PIPEDA applies to them, unless substantially similar provincial legislation applies.

Business contact information exemption. Section 4.01 of PIPEDA exempts business contact information (an employee's name, title, business address, telephone number, or email) collected, used, or disclosed solely for the purpose of communicating with the individual in relation to their employment, business, or profession. This is a narrow carve-out from the Act's application.

Interaction with provincial legislation. Even where an organization is engaged in commercial activities, section 30(1) provides that PIPEDA does not apply to intra-provincial collection, use, or disclosure of personal information in provinces with substantially similar legislation (currently Alberta, British Columbia, and Quebec), unless the organization is a federal work, undertaking, or business or discloses the information outside the province for consideration.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 2(1), 4, 4.01

Source: Office of the Privacy Commissioner of Canada, Interpretation Bulletin: Commercial Activity

Source: Office of the Privacy Commissioner of Canada, The Application of PIPEDA to Municipalities, Universities, Schools, and Hospitals

PIPEDA applies only to personal information, defined in section 2(1) as "information about an identifiable individual." This is the core data-type trigger; information that falls outside this definition is not subject to PIPEDA's collection, use, and disclosure rules. The definition is broad, technology-neutral, and captures both factual and subjective information, whether recorded or not.

Statutory definition and scope. Section 2(1) of PIPEDA defines "personal information" as "information about an identifiable individual." The definition does not include an exhaustive list of specific data categories, unlike the Privacy Act (which applies to federal government institutions and includes a detailed enumeration). PIPEDA's definition is intentionally flexible and expansive. The Office of the Privacy Commissioner (OPC) has stated that "the definition of 'personal information' deserves broad and expansive interpretation" and that "under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual." The definition encompasses factual data (name, date of birth, financial transaction history, IP addresses when linkable to an individual), subjective information (personal opinions, views about an individual), biometric data, health information, and any other information that relates to or concerns an identifiable individual.

"About an identifiable individual" — the two-part test. The definition requires that information satisfy two conjunctive criteria: (1) it must be "about" an individual, and (2) the individual must be "identifiable."

1. "About" — relational requirement. The Federal Court of Appeal has held that "about" means the information is not just the subject of something but also relates to or concerns the subject (Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157). The information must have a meaningful connection to the individual. In the NAV CANADA case, cockpit voice recorder and air traffic control transcripts containing the utterances of pilots and controllers were found not to constitute personal information because the information consisted of "non-personal information transmitted by an individual in job related circumstances" — technical air traffic control data that did not engage "concepts of intimacy, identity, dignity and integrity of the individual." Conversely, information about an individual's activities as a consumer rights advocate, and internal agency discussions of their submissions, were found to be "about" the individual when those submissions implicated the individual's personal identity, dignity, and integrity.

**2. "Identifiable individual" — the Gordon test. Information will be about an "identifiable individual" where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information** (Gordon v. Canada (Health), 2008 FC 258). This test is contextual and considers:

• Direct identifiers. Information that directly identifies an individual on its face (name, photograph, fingerprints, government-issued identification number, email address associated with a known person).
• Indirect identifiers in combination. Information that, when combined with other available information, creates a serious possibility of identification. For example, an Internet Protocol (IP) address is personal information where an internet service provider (ISP) can link the IP address to a subscriber through a subscriber ID. Conversely, a postal code covering a wide geographic area with many homes, on its own, may not constitute personal information because the connection to a specific individual is too weak or far-removed.
• Reasonably foreseeable re-identification. The OPC and courts consider whether it is reasonably foreseeable that the information could be utilized to identify an individual, taking into account modern data-linking and data-mining technologies. The test is forward-looking: as technologies evolve and make it easier to access and link datasets, information initially thought to be non-personal may become personal information if a serious possibility of re-identification arises.

Information need not be recorded. The OPC has clarified that information need not be in a recorded form to constitute personal information. Oral conversations, biological samples, and real-time video surveillance all qualify as personal information if they are about an identifiable individual, even where the information has not been reduced to a document or electronic record.

Categories of information found to be personal information. The OPC Interpretation Bulletin and case law confirm that personal information includes:

• Names, when accompanied by other information. A name appearing alongside other information that relates to the individual (e.g., a name + transaction history, a name + medical record) is personal information. The name itself may also be personal information where its disclosure would reveal information about the individual.
• Unique identifiers. Social Insurance Numbers, driver's license numbers, passport numbers, health card numbers, credit card numbers, employee identification numbers.
• Biometric information. Fingerprints, voiceprints, facial recognition data, DNA profiles.
• Online identifiers. IP addresses (when linkable to a subscriber), device identifiers, cookies and tracking tokens that enable tracking of an individual's browsing activity, email addresses.
• Location data. GPS coordinates, cell tower triangulation data, location tags in photographs, check-in data.
• Financial and transactional data. Credit card transaction histories, bank account information, purchase records.
• Health information. Medical diagnoses, prescriptions, health services received, information derived from testing of body parts or bodily substances (PIPEDA section 2(1) defines "personal health information" as a subset of personal information, including donation of body parts, testing results, and information collected in the course of or incidentally to providing health services).
• Employment information. Performance reviews, salary, disciplinary records, leave records (subject to the business contact information exclusion discussed below).
• Subjective information. Personal opinions or views of the individual, and the views or opinions of another person about the individual.
• Communications content. Email content, text messages, voice recordings of phone calls.

Exclusions from the definition of personal information.

Business contact information (section 4.01). Section 4.01 of PIPEDA carves out a narrow category of business contact information from the Act's application. This exclusion applies where an organization collects, uses, or discloses business contact information solely for the purpose of communicating with an individual in relation to their employment, business, or profession.

Business contact information is defined by regulation as:

• the individual's name,
• title,
• business address (including email address),
• business telephone number, and
• any similar information.

The exclusion applies only where the organization uses the information solely to communicate with the individual in their professional capacity. If business contact information is used for any other purpose (e.g., tracking, profiling, marketing to the individual personally, compiling a database for sale), PIPEDA applies in full.

De-identified and anonymized information. Information that has been de-identified such that there is no longer a serious possibility of re-identification is not personal information. The OPC has endorsed the test articulated by the Ontario Information and Privacy Commissioner: once de-identified, a data set is considered to no longer contain personal information. Anonymized information has been irreversibly altered so that the person concerned cannot be re-identified. The Treasury Board of Canada Secretariat defines anonymized information as "personal information that has been de-identified to the point that there is no serious possibility of re-identification, by any person or body using any additional data or technology at this point in time." Organizations bear the burden of demonstrating that de-identification or anonymization has been effective and that re-identification risk is negligible in light of currently available technology and linkable datasets.

Information about organizations. Information about a corporation, partnership, or other legal entity (as opposed to an individual natural person) is not personal information. For example, a corporate tax identification number, a company's business address, or revenue data for a company is not personal information. Where a sole proprietor operates under their own name, however, information about the business may simultaneously be information about the identifiable individual proprietor and thus constitute personal information.

Publicly available information — limited disclosure exemption. PIPEDA does not exclude publicly available information from the definition of personal information. Publicly available information (e.g., information in a telephone directory, professional directory, or publication where the individual provided the information) is personal information, but PIPEDA includes limited exceptions under section 7 that permit collection and use of publicly available information without consent in certain circumstances. The Regulations Specifying Publicly Available Information (SOR/2001-7) enumerate categories of publicly available personal information that may be collected, used, or disclosed without consent under paragraphs 7(1)(d), 7(2)(c.1), and 7(3)(h.1).

Interaction with consent, collection, and use rules. Once information qualifies as personal information under section 2(1), PIPEDA's substantive rules apply: organizations must obtain consent for collection, use, or disclosure (Schedule 1, Principle 4.3, subject to statutory exceptions under sections 7–7.4), limit collection to purposes that are reasonable (Principle 4.4), and collect personal information by fair and lawful means (Principle 4.4). If the information is not personal information, PIPEDA does not apply to its collection, use, or disclosure.

Supervisory authority. The Privacy Commissioner of Canada interprets and applies the definition of personal information in the course of investigating complaints under Part 1 of PIPEDA. The Commissioner's findings and the Federal Court's decisions on judicial review provide binding and persuasive interpretations of "identifiable individual."

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, section 2(1)

Source: Office of the Privacy Commissioner of Canada, Interpretation Bulletin: Personal Information

Source: Office of the Privacy Commissioner of Canada, PIPEDA requirements in brief

PIPEDA does not contain express territorial-scope language limiting its application to organizations physically located in Canada. The Act applies to every organization (including foreign organizations) in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities (section 4(1)(a)), subject to the section 30(1) provincial carve-out. The Office of the Privacy Commissioner of Canada and Canadian courts have repeatedly held that PIPEDA applies to organizations outside Canada where a "real and substantial connection" to Canada exists.

Leading case and the real-and-substantial-connection test. In Lawson v. Accusearch Inc. (2007), the Federal Court held that the relevant test to determine whether the Privacy Commissioner has jurisdiction under PIPEDA to investigate a complaint against a foreign-based organization is whether there is a real and substantial connection between the subject matter, the parties, or the territory to Canada. The Court rejected a strict territorial reading of PIPEDA, holding that although "Parliament cannot have intended that PIPEDA govern the collection and use of personal information worldwide," PIPEDA can still cover foreign entities that either receive or transmit communications to and from Canada, and that collect and disclose personal information about individuals in Canada. The Court grounded this approach in the Supreme Court of Canada's decision in Society of Composers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers (SOCAN), which found that there is sufficient connection for the taking of jurisdiction where Canada is either the country of transmission or of reception.

Physical presence not required. The Federal Court and the OPC have confirmed that a physical presence in Canada is not required to establish a real and substantial connection when the activity involves online platforms or telecommunications. In A.T. v. Globe24h.com (PIPEDA Report of Findings #2015-002), the OPC found that a Romanian website operator with no physical presence in Canada fell under PIPEDA jurisdiction where the website republished Canadian court decisions and generated revenue by charging individuals to remove their personal information. The OPC stated that "telecommunications occur 'both here and there'" and that a physical presence is not determinative. Similarly, in the Clearview AI joint investigation (PIPEDA Findings #2021-001), the OPC and provincial privacy commissioners found jurisdiction over a U.S. company with no Canadian establishment where Clearview's operations necessitated the transmission and receipt of personal information between Canada and the United States, both when collecting information from Canadian sources and disclosing it through its software. The OPC and provincial commissioners rejected Clearview's argument that no real and substantial connection existed, stating: "Receipt may be no less 'significant' a connecting factor than the point of origin."

Indicia of a real and substantial connection — enforcement-decision factors. OPC investigations and Federal Court decisions have identified recurring factors that support a finding of real and substantial connection:

• Collection of personal information of Canadians or from Canadian sources. Where an organization collects personal information of individuals in Canada, or scrapes data from Canadian websites, social media, or other Canadian-based sources, this constitutes a significant connecting factor. In the Clearview AI investigation, the collection of images from Canadian social media users was a key factor. In the OpenAI investigation (PIPEDA Findings #2026-002), the OPC and provincial commissioners found that OpenAI's development of ChatGPT "involved and relied, in part, on the collection of the personal information of individuals in Canada or derived from Canadian sources (e.g., Canadian-based online platforms)" and that this collection occurred both before and after the public launch of ChatGPT.

• Provision of services to Canadians or targeting the Canadian market. Where an organization offers goods or services to Canadian residents, solicits Canadian customers, or markets to Canadians, the connection is strengthened. In the Adobe data-breach investigation (PIPEDA Report of Findings #2014-015), the OPC found that Adobe's statement that it is "responsible for marketing to Canadians" and that it "notified affected Canadians of the Data Breach" were factors that spoke in favor of, not against, a real and substantial connection to Canada. The OPC stated: "They show that Adobe is actively engaged in the Canadian market and that its products and services are targeted at Canadians."

• Cross-border transmission or reception of data to or from Canada. Where the organization's activities involve the transmission of personal information to Canada or the reception of personal information from Canada (or transmission from Canada to another jurisdiction), this is a sufficient connecting factor. In the KLM Royal Dutch Airlines investigation (PIPEDA Report of Findings #2011-002), the OPC found jurisdiction over a Netherlands-based airline where the complainant and family members were passengers traveling to Toronto. The sale of tickets and the provision of services to passengers destined for Canada created a real and substantial connection.

• Direct interaction with Canadians, including through websites or apps accessible in Canada. Where a website or app is accessible to Canadian users and the organization collects their personal information (for example, by requiring account creation, accepting payment from Canadian users, or tracking browsing activity), the connection is established. The OPC has stated that "direct interaction with Canadians" is a key indicator (for example, Bill C-11's Treatment of Cross-Border Transfers of Personal Information, OPC research publication, 2021).

• Revenue generation from Canadian users or sources. Where the organization's business model relies, in whole or in part, on revenue from Canadian users (subscription fees, advertising revenue, data sales, or charges for removal of personal information as in Globe24h.com), the connection is reinforced.

Application where the subject-matter connection is to Canada. The Federal Court in Lawson v. Accusearch held that the real-and-substantial-connection test can be satisfied by a connection to the subject matter of the complaint, even where the organization's activities are otherwise wholly foreign. In that case, the Court concluded that the complainant's personal information "had to have come from Canadian-based sources" and that PIPEDA's application was grounded in the Canadian origin and Canadian subject matter of the personal information.

Choice-of-law clauses and contractual disclaimers do not oust PIPEDA. In the Adobe investigation, the OPC rejected Adobe's argument that a choice-of-law provision in its Terms of Use and Privacy Policy, which purported to select California law as the applicable law, rendered PIPEDA inapplicable. The OPC stated: "We are not persuaded, given the current state of the law, that Adobe can contract out of its obligations under mandatory and quasi-constitutional legislation such as PIPEDA. In our view, it would be contrary to public policy to allow an organization with a real and substantial connection to Canada to avoid PIPEDA's protections by way of contract. Indeed, the very purpose of PIPEDA would be undermined if an organization could require individuals to waive their rights under the Act in order to obtain a product or service."

Timing of the connection — pre-launch and ongoing activity. In the OpenAI investigation, the OPC and provincial commissioners found a real and substantial connection to Canada prior to the November 30, 2022, public launch of ChatGPT where OpenAI had collected and used personal information of Canadians during the training of GPT-3.5 and GPT-4 models. The OPC rejected OpenAI's argument that jurisdiction could not exist before the product was publicly available to Canadian users, finding that the collection and use of Canadian personal information during development created the requisite connection. The OPC stated: "The invasion of privacy that may result from the collection and use of the personal information of Canadians ... occurs at the place of residence of the individuals concerned by this information, and the place of residence constitutes a sufficient connecting factor."

Threshold — "serious possibility" of a real and substantial connection. The case law does not require a quantitative threshold (for example, a minimum number or percentage of Canadian users). The standard is qualitative: whether, taking into account all of the circumstances, a serious possibility exists that the organization's activities have a real and substantial connection to Canada. The connection may arise from a single factor (for example, collecting personal information of Canadians) or from the cumulative weight of several factors.

Interaction with the section 30 provincial carve-out. Even where a foreign organization has a real and substantial connection to Canada and thus falls within PIPEDA's scope, section 30(1) provides that PIPEDA does not apply to intra-provincial collection, use, or disclosure in a province with substantially similar legislation (Alberta, British Columbia, or Quebec), unless the organization (a) collects, uses, or discloses the information in connection with the operation of a federal work, undertaking, or business, or (b) discloses the information outside the province for consideration. A foreign organization with a real and substantial connection to Canada that processes personal information wholly within one of those provinces and does not disclose it extra-provincially for consideration would be governed by the applicable provincial Act, not PIPEDA. In practice, most foreign online services and cloud providers engage in cross-border disclosure and thus remain subject to PIPEDA (or to PIPEDA alongside a provincial Act where concurrent jurisdiction applies).

Supervisory authority and enforcement. The Privacy Commissioner of Canada has jurisdiction to investigate complaints against foreign organizations where a real and substantial connection to Canada exists. The Commissioner may apply to the Federal Court for remedies under sections 14 and 15 of PIPEDA. Foreign organizations subject to PIPEDA must comply with all obligations under Part 1 of the Act, including the fair information principles in Schedule 1, consent requirements (section 6.1 and Principle 4.3), security safeguards (Principle 4.7), breach notification (sections 10.1–10.3), and openness (Principle 4.8). Organizations that refuse to cooperate with an OPC investigation or that fail to implement corrective measures risk adverse findings, Federal Court applications, and reputational harm from published investigation reports.

Cross-border data flows — accountability applies regardless of server location. PIPEDA does not prohibit cross-border transfers of personal information. The Act does not distinguish between domestic and international processing. However, Principle 4.1.3 of Schedule 1 imposes an accountability obligation on the transferring organization: "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by the third party." This accountability principle applies regardless of where the third party is located. An organization in Canada that transfers personal information to a processor outside Canada (cloud provider, call center, data analytics provider) remains accountable under PIPEDA and must ensure a "comparable level of protection" through contract or other means. The OPC has issued guidance on cross-border processing (Guidelines for processing personal data across borders, January 2009) and has confirmed that transfers for processing are a "use" of the information, not a disclosure, and that additional consent for the transfer is not required where the information is being used for the purpose for which it was originally collected.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 2(1), 4, 30, Schedule 1 Principle 4.1.3

Source: Office of the Privacy Commissioner of Canada, Legal Framework

Source: Office of the Privacy Commissioner of Canada, PIPEDA Findings #2021-001: Joint investigation of Clearview AI, Inc.

Source: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2015-002: Website that generates revenue by republishing Canadian court decisions (Globe24h.com)

Source: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2014-015: Adobe data breach investigation

Source: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2011-002: KLM Royal Dutch Airlines

Source: Office of the Privacy Commissioner of Canada, PIPEDA Findings #2026-002: Joint Investigation of OpenAI OpCo, LLC

Source: Office of the Privacy Commissioner of Canada, Guidelines for processing personal data across borders, January 2009

Source: Office of the Privacy Commissioner of Canada, Bill C-11's Treatment of Cross-Border Transfers of Personal Information (research publication, May 2021)

PIPEDA applies to "every organization" in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities (section 4(1)(a)). The statutory definition of "organization" is deliberately broad, but critical exclusions in section 4(2) carve out government institutions, individuals acting for personal or domestic purposes, and certain employee personal information. Whether an entity qualifies as an "organization" subject to PIPEDA determines threshold applicability; the exclusions then narrow the Act's reach even when the entity otherwise falls within the definition.

Statutory definition of "organization" — section 2(1). Section 2(1) of PIPEDA defines "organization" as:

> "an association, a partnership, a person and a trade union."

The definition is inclusive ("includes"), not exhaustive. Courts and the Office of the Privacy Commissioner (OPC) have interpreted "organization" broadly to capture any entity engaged in commercial activity, regardless of legal form, profit motive, or tax status. The inclusion of "a person" means that a natural person — including a sole proprietor conducting business — can be an "organization" for PIPEDA purposes when that person engages in commercial activities. An individual operating a business (for example, a consultant, contractor, or freelancer) who collects, uses, or discloses personal information in the course of their commercial activities is subject to PIPEDA as an organization.

The definition encompasses:

• Corporations (for-profit and non-profit).
• Partnerships (general, limited, or limited-liability partnerships).
• Sole proprietorships (individuals conducting business).
• Trade unions.
• Associations, including professional associations, industry associations, and voluntary membership bodies.
• Charities and non-profit organizations when engaged in commercial activities (see the discussion of "commercial activity" in the existing guide section on that topic). Tax-exempt or charitable status does not exempt an entity from being an "organization" if it engages in commercial activities.
• Foreign entities with a real and substantial connection to Canada (see the existing guide section on territorial scope).

Section 4(2) exclusions — entities and activities outside PIPEDA's scope. Section 4(2) of PIPEDA provides that Part 1 of the Act (the fair information principles and obligations) does not apply to:

**(a) any government institution to which the Privacy Act applies A government institution** within the meaning of the federal Privacy Act is excluded from PIPEDA. Section 3 of the Privacy Act defines "government institution" to mean any department, ministry of state, or body listed in the schedule to that Act, and any departmental corporation or parent Crown corporation as defined in the Financial Administration Act. Federal government departments, agencies, and Crown corporations are governed by the Privacy Act, not PIPEDA, when handling personal information in the course of their mandate.

Provincial, territorial, and municipal government institutions are similarly excluded. The OPC has consistently held that PIPEDA does not apply to provincial, territorial, or municipal governments when they are carrying out governmental functions. The rationale is that such entities are not engaged in "commercial activities" as contemplated by the federal division of powers under the Constitution Act, 1867; they are exercising public authority, not engaging in trade and commerce. For example, a municipality collecting property tax information, or a provincial ministry administering social assistance programs, is not subject to PIPEDA. The applicable provincial or territorial public-sector privacy legislation (for example, Ontario's Freedom of Information and Protection of Privacy Act or British Columbia's Freedom of Information and Protection of Privacy Act) governs instead.

Hybrid entities and ancillary commercial activities. A government institution or MUSH-sector entity (municipalities, universities, schools, hospitals) that undertakes a non-core commercial activity may become subject to PIPEDA for that specific activity. For example, the OPC has stated that a public hospital charging for a service that is outside its core mandate — such as operating a paid parking lot or a cafeteria open to the public — may be engaged in commercial activity for that limited purpose. The OPC's Position on the Application of PIPEDA to Municipalities, Universities, Schools, and Hospitals (December 2015) provides that PIPEDA does not apply to the core activities of public MUSH-sector institutions because they are not, on the whole, engaged in "trade and commerce," but a MUSH-sector institution may become subject to PIPEDA when it engages in a discrete commercial activity separate from its core public mandate.

Crown corporations and government business enterprises. A Crown corporation listed in the schedule to the Privacy Act is subject to the Privacy Act, not PIPEDA (section 4(2)(a)). However, certain commercial Crown corporations and government business enterprises that are not listed in the Privacy Act schedule may be treated as "organizations" under PIPEDA if they engage in commercial activities. The test is whether the entity is a "government institution" within the meaning of the Privacy Act; if not, and if the entity engages in commercial activities, PIPEDA applies.

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes only and does not collect, use or disclose for any other purpose This is the "household" or "personal and domestic purposes" exclusion. An individual who collects, uses, or discloses personal information solely for personal or domestic purposes — with no commercial, employment-related, or other non-personal purpose — is not an "organization" for PIPEDA purposes and the Act does not apply. The exclusion is narrowly construed: the moment the individual uses or discloses the information for any purpose other than personal or domestic, the exclusion is lost and PIPEDA applies if the other purpose is a commercial activity.

Examples of activities within the personal-and-domestic-purposes exclusion:

• An individual maintaining a personal address book or contact list for social purposes.
• A homeowner installing a home security camera that records only the homeowner's own property and is used solely for household security (not shared with third parties or used for any commercial purpose).
• An individual collecting recipes, photographs, or personal notes for their own use.

Examples of activities outside the exclusion (PIPEDA applies):

• An individual operating a home-based business (consultant, contractor, online seller) who collects client or customer personal information. The individual is engaged in commercial activity and is an "organization" under PIPEDA.
• An individual who collects names and email addresses of friends and family and then sells or barters that list to a third party for consideration. The sale or barter is a commercial activity and triggers PIPEDA application (section 2(1) expressly includes selling or bartering donor or membership lists in the definition of "commercial activity").
• A landlord renting residential property. The OPC has taken the position that a landlord collecting tenant personal information (for example, credit checks, employment verification, references) is engaged in commercial activity and is subject to PIPEDA. Residential rental is considered a commercial transaction, not a personal or domestic purpose.
• A condominium corporation or homeowners' association collecting resident personal information. The OPC has found that such entities are engaged in commercial activities when managing common property and collecting fees, and PIPEDA applies.

The exclusion is purpose-specific: if personal information is collected for a personal purpose but subsequently used or disclosed for a commercial or other non-personal purpose, PIPEDA applies to that subsequent use or disclosure.

(c) an organization in respect of personal information about an individual who is or was an employee of the organization that the organization collects, uses or discloses in relation to that individual's employment or volunteer work relationship with the organization, except where the organization is a federal work, undertaking or business This is the employee personal information exclusion. PIPEDA does not apply to an organization's collection, use, or disclosure of personal information about its current or former employees (including volunteers), except where the organization is a federal work, undertaking, or business as defined in section 2(1).

Scope of the employee exclusion. The exclusion applies to personal information collected, used, or disclosed "in relation to that individual's employment or volunteer work relationship." The information must be connected to the employment relationship. Examples include:

• Employee name, home address, Social Insurance Number, date of birth, emergency contact information collected for payroll, benefits administration, or HR recordkeeping.
• Performance reviews, disciplinary records, attendance records, training records.
• Medical information collected for accommodation purposes, disability benefits, or workplace safety (provided it is used in relation to the employment relationship).
• Background checks, reference checks, and pre-employment screening conducted for hiring purposes.

Information collected for purposes unrelated to the employment relationship is not excluded. If an employer collects employee personal information for a purpose outside the employment relationship — for example, if an employer operates a retail loyalty program and collects employee personal information as a customer, not as an employee — PIPEDA applies to that collection. The test is whether the collection, use, or disclosure is "in relation to" the employment or volunteer relationship.

The federal-work exception to the employee exclusion. The employee exclusion does not apply where the organization is a federal work, undertaking, or business (section 2(1)). For federally regulated employers (banks, airlines, railways, interprovincial trucking, telecommunications, broadcasting, grain elevators, uranium mining, and other entities within federal legislative jurisdiction under the Constitution Act, 1867), PIPEDA does apply to employee personal information. Section 7.3, added by the Digital Privacy Act (S.C. 2015, c. 32), provides a specific consent exception for federal works, undertakings, and businesses: they may collect, use, and disclose employee personal information without consent if (a) the collection, use, or disclosure is necessary to establish, manage, or terminate the employment relationship, and (b) the employer has informed the employee that the personal information will or may be collected, used, or disclosed for those purposes.

In practice, this means:

• Provincially regulated employers (most retail, hospitality, local services, professional services firms, and other organizations not engaged in interprovincial or federal transportation, communication, or finance) are not subject to PIPEDA for employee personal information. Provincial employment-standards legislation and provincial private-sector privacy legislation (where it exists — currently Alberta, British Columbia, and Quebec) govern instead. For provinces without substantially similar private-sector privacy legislation, there is a gap: employee personal information of non-federally-regulated employers is not governed by PIPEDA and may be subject only to sector-specific statutes or common law.

• Federally regulated employers (banks, airlines, railways, interprovincial trucking, telecommunications carriers, broadcasters, and other federal works, undertakings, and businesses) are subject to PIPEDA for employee personal information. They must comply with Schedule 1 fair information principles, including accountability, limiting collection, security safeguards, and the consent exception under section 7.3.

Business contact information exclusion (section 4.01). Section 4.01 of PIPEDA provides a further carve-out from the Act's application (not from the definition of "organization" but from PIPEDA's substantive rules): business contact information collected, used, or disclosed solely for the purpose of communicating with an individual in relation to their employment, business, or profession is exempt. Business contact information is defined by regulation (section 2(1)) as an individual's name, position name or title, work address, work telephone number, work fax number, or work electronic address. This narrow exclusion means that an organization may collect and use a business card, a LinkedIn profile, or an email signature block without engaging PIPEDA's consent and other requirements, provided the use is strictly for professional communication. If the business contact information is used for any other purpose (for example, compiling a marketing database, tracking, or profiling), PIPEDA applies.

Summary of exclusions. PIPEDA does not apply to:

1. Government institutions subject to the Privacy Act (federal departments, agencies, Crown corporations listed in the Privacy Act schedule) or provincial/territorial/municipal government entities carrying out public functions (section 4(2)(a)).
2. Individuals acting for personal or domestic purposes only, with no commercial or other non-personal use or disclosure (section 4(2)(b)).
3. Employee and volunteer personal information of organizations that are not federal works, undertakings, or businesses, where the information is collected, used, or disclosed in relation to the employment or volunteer relationship (section 4(2)(c)).

All other organizations — including corporations, partnerships, sole proprietors, non-profits, charities, trade unions, and foreign entities with a real and substantial connection to Canada — are subject to PIPEDA when they collect, use, or disclose personal information in the course of commercial activities, subject to the section 30 provincial carve-out for Alberta, British Columbia, and Quebec.

Supervisory authority. The Privacy Commissioner of Canada interprets and applies the definition of "organization" and the section 4(2) exclusions in the course of investigating complaints under Part 1 of PIPEDA. The Commissioner has no order-making power; findings are recommendations, and enforcement is via Federal Court application under sections 14 and 15.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 2(1), 4(1), 4(2), 4.01, 7.3

Source: Office of the Privacy Commissioner of Canada, The Application of PIPEDA to Municipalities, Universities, Schools, and Hospitals (December 2015)

PIPEDA applies to "every organization" in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities (section 4(1)(a)). The definition of "organization" is the subject-matter gatekeeper: if an entity does not meet the statutory definition, PIPEDA does not apply regardless of whether the activity is commercial or the data is personal information. The definition is broad and functional, capturing a wide range of entities including natural persons acting in a commercial capacity, but excluding government institutions (which are governed by the Privacy Act) and individuals acting in a personal or domestic capacity.

Statutory definition. Section 2(1) of PIPEDA defines "organization" as follows:

> "organization" includes an association, a partnership, a person and a trade union.

The definition is inclusive rather than exhaustive. The use of "includes" rather than "means" signals that the enumerated categories (association, partnership, person, trade union) are examples, not an exhaustive list. The definition encompasses:

• Corporations (whether for-profit or not-for-profit, whether incorporated federally or provincially);
• Partnerships (general partnerships, limited partnerships, limited liability partnerships);
• Associations (incorporated associations, unincorporated associations, professional associations, trade associations, membership organizations);
• Trade unions (labor organizations representing employees);
• Natural persons (individuals) acting in a commercial capacity (discussed below);
• Trusts operating in a commercial context (estate trustees, trustees of commercial trusts, pension plan trustees when engaged in commercial activities);
• Sole proprietorships (a natural person carrying on business under their own name or a business name is an organization for PIPEDA purposes when acting commercially).

The Office of the Privacy Commissioner (OPC) has stated that "the definition of organization is intended to be broad and inclusive." The statutory definition does not impose a requirement that the organization be incorporated, registered, or possess legal personality. An unincorporated association or an informal partnership engaged in commercial activities may constitute an "organization" under PIPEDA.

Natural persons (individuals) as "organizations" — the commercial-capacity test. A natural person — an individual human being — can be an "organization" under PIPEDA, but only when that individual is acting in a commercial capacity. The OPC has clarified that individuals acting in a personal or domestic capacity are excluded from PIPEDA's application. This exclusion is implicit in the definition of "organization" and has been affirmed by the OPC and by analogy to the definitions in Alberta's and British Columbia's substantially similar Personal Information Protection Acts (PIPAs), which expressly exclude "an individual acting in a personal or domestic capacity."

The leading case on this issue is State Farm Mutual Automobile Insurance Company v. Privacy Commissioner of Canada, 2010 FC 736. In that case, an individual defendant in a civil tort action retained private investigators to gather evidence for her defense. The plaintiff complained that the defendant's collection of personal information violated PIPEDA. The Federal Court held that the individual defendant was not an "organization" within the meaning of PIPEDA because the primary activity — mounting a legal defense in a personal-injury lawsuit — lacked commercial character. The Court stated:

> "The activities of an individual defendant in a personal injury action gathering evidence … is not a 'commercial activity' as that phrase is defined in PIPEDA. In other words, the relationship between litigants in the context of a legal proceeding is not one that can be described as commercial."

The Court's analysis focused on the nature of the activity the individual was engaged in, not merely the fact that the individual was a natural person. The implication is that an individual can be an organization under PIPEDA when engaged in commercial activities (for example, a sole proprietor operating a business, a self-employed consultant, a professional practitioner selling services).

Government institutions excluded — Privacy Act governs instead. PIPEDA does not apply to government institutions as defined in the Privacy Act. Section 4(2) of PIPEDA expressly provides:

> "This Part [Part 1, the substantive privacy rules] does not apply to any government institution to which the Privacy Act applies."

The Privacy Act, R.S.C. 1985, c. P-21, applies to federal government institutions listed in the Schedule to that Act. The Privacy Act governs the collection, use, and disclosure of personal information by federal departments, agencies, Crown corporations, and other federal institutions. Provincial and territorial government institutions are similarly governed by provincial or territorial public-sector privacy legislation (for example, freedom of information and protection of privacy acts in each province). Because government institutions are excluded from the definition of "organization" for PIPEDA purposes, a federal government department, a provincial ministry, a municipality, or a public university or hospital acting in its core governmental or public-sector capacity is not subject to PIPEDA.

The OPC has published guidance on the application of PIPEDA to municipalities, universities, schools, and hospitals (MUSH sector). The OPC's position is that PIPEDA does not apply to the core activities of MUSH-sector institutions because they are not, on the whole, engaged in "trade and commerce" as contemplated under the federal division of powers in the Constitution Act, 1867. The OPC states:

> "As a general rule, PIPEDA does not apply to the core activities of municipalities, universities, schools, and hospitals. By core activities we mean those activities that are central to the mandate and responsibilities of these institutions."

Providing a service for a fee does not automatically trigger PIPEDA if the service is part of the institution's core public mandate (for example, a hospital charging for a private room, a municipality charging a per-bag garbage fee). However, a MUSH-sector institution may become subject to PIPEDA when it engages in a non-core commercial activity (for example, a public university selling its alumni list to a third party for consideration). The OPC has stated that private educational institutions and private hospitals are generally more clearly engaged in commercial activities and should operate on the assumption that PIPEDA applies to them, unless substantially similar provincial legislation applies.

Crown corporations and agents of the Crown. Crown corporations and other agents of the Crown that engage in commercial activities may be subject to PIPEDA if they are not listed in the Schedule to the Privacy Act and are not otherwise exempted. For example, Canada Post Corporation, although a Crown corporation, is engaged in commercial activities and is subject to PIPEDA for its commercial operations. The Governor in Council has issued an order under section 7 of PIPEDA binding certain agents of Her Majesty (the federal Crown) to Part 1 of PIPEDA in respect of commercial activities (Order Binding Certain Agents of Her Majesty for the Purposes of Part 1 of the Personal Information Protection and Electronic Documents Act, SOR/2001-8). Organizations listed in that Order are subject to PIPEDA's substantive privacy rules.

Not-for-profit organizations and charities. A not-for-profit organization, charity, club, or community group is an "organization" within the statutory definition (section 2(1) expressly includes "an association" and "a person," and does not exclude non-profits). However, whether PIPEDA applies to a non-profit organization depends on whether the organization is engaged in commercial activities. The OPC has stated:

> "Non-profit organizations are usually not subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) because they do not typically engage in commercial activities. This includes most charities, minor hockey associations, clubs, community groups and advocacy groups."

The OPC guidance confirms that not-for-profit status does not exempt an organization from PIPEDA if the organization engages in commercial activities. For example, a charity that sells, barters, or leases its donor list is engaged in a commercial activity (expressly included in the statutory definition of "commercial activity" in section 2(1)), and PIPEDA applies to that transaction. Similarly, a non-profit daycare that charges fees for child-care services, or a non-profit testing service that charges for entrance exams, may be subject to PIPEDA if the fee-based service constitutes a commercial activity. The OPC has applied PIPEDA to the non-profit Law School Admission Council (which administers the LSAT) and to non-profit daycares on this basis.

Professional associations and regulatory bodies. The OPC and Canadian courts have examined whether professional regulatory bodies and associations are "organizations" subject to PIPEDA. In Rodgers v. Calvert, 2004 ON SC, the court found that the provision of mandatory professional liability insurance by LawPro (the Law Society of Upper Canada's regulatory insurer) was not a commercial activity because LawPro's principal shareholder is the Law Society and its purpose is regulatory, not profit-driven. The court held that the collection of membership fees by an association does not automatically establish commercial activity; the critical question is whether the primary purpose of the activity is commercial. Where a professional regulatory body is performing a statutory regulatory function mandated by provincial law (for example, maintaining a registry of licensed professionals, adjudicating discipline matters, setting professional standards), those activities typically lack commercial character and PIPEDA does not apply. Conversely, where a professional association offers optional commercial services to its members (for example, selling advertising space in a publication, offering fee-based continuing education courses), those activities may be commercial and subject to PIPEDA.

Individuals acting in a personal or domestic capacity — excluded. Individuals collecting, using, or disclosing personal information for personal or domestic purposes are not "organizations" under PIPEDA. The OPC has stated:

> "In general, Canadian privacy laws do not apply to the conduct of individuals who are collecting, using or disclosing personal information for non-commercial purposes."

Examples of personal or domestic activities that fall outside PIPEDA's scope include:

• A homeowner collecting contact information for a neighborhood barbecue;
• An individual compiling a personal address book;
• A person posting photographs of family members on a personal social-media account;
• A private individual maintaining a household budget or filing taxes;
• A parent maintaining medical records for their child.

The exclusion turns on the purpose of the activity, not the nature of the data. Personal information collected or used for a personal or domestic purpose does not trigger PIPEDA, even where the same type of data would be covered if collected by an organization in a commercial context. However, where an individual monetizes personal data or collects it for a commercial purpose (for example, building an email list to sell to a third party, operating a blog with paid advertising), the individual may be acting in a commercial capacity and thus may constitute an "organization" subject to PIPEDA.

Interaction with "commercial activities" and the two-part jurisdictional test. The definition of "organization" is the first gatekeeper. Even if an entity qualifies as an "organization," PIPEDA applies only if the organization collects, uses, or discloses personal information in the course of commercial activities (section 4(1)(a), subject to the federal-works carve-out in section 4(1)(b)). A qualifying organization that does not engage in commercial activities falls outside PIPEDA's scope. The two-part test is conjunctive:

1. Is the entity an "organization" under section 2(1)? (Broad inclusive definition; excludes government institutions and individuals acting in personal/domestic capacity.)
2. Is the organization collecting, using, or disclosing personal information in the course of commercial activities? (Statutory definition in section 2(1); interpretive guidance in OPC Interpretation Bulletin on Commercial Activity and case law.)

Both prongs must be satisfied. A government institution fails the first prong. A non-profit association that does not engage in commercial activities fails the second prong.

Supervisory authority and enforcement. The Privacy Commissioner of Canada interprets and applies the definition of "organization" in the course of investigating complaints under Part 1 of PIPEDA. The Commissioner's findings and Federal Court decisions on judicial review provide binding and persuasive interpretations of "organization." Organizations uncertain about their status may consult the OPC's published guidance or seek a legal opinion. The OPC has published an online tool ("Find the right organization to contact about your privacy issue") to help individuals and organizations determine which privacy law applies to a given activity.

Source: Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sections 2(1), 4

Source: Office of the Privacy Commissioner of Canada, The Application of PIPEDA to Municipalities, Universities, Schools, and Hospitals

Source: Office of the Privacy Commissioner of Canada, How PIPEDA applies to charitable and non-profit organizations

Source: Office of the Privacy Commissioner of Canada, Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia's Personal Information Protection Acts