Canada

OPC Canada investigates complaints, conducts audits, and publishes findings. Currently lacks order-making power (Bill C-27 would add this). Provincial commissioners in Quebec, Alberta, BC.

Meaningful consent is central. Knowledge and consent required with limited exceptions. Implied consent available for less sensitive processing.

Right to access personal information and challenge accuracy. Right to know about organisational practices. Complaint to OPC.

Transfers permitted with comparable protection by contract. No adequacy mechanism. OPC guidance requires accountability measures.

Mandatory breach reporting to OPC and notification to individuals for breaches posing real risk of significant harm (since 2018 PIPEDA amendments).

Must designate individual(s) accountable for compliance (Accountability Principle). Not formally called DPO but serves similar function.

OPC guidance considers children generally incapable of providing meaningful consent. No specific age threshold in PIPEDA. Quebec Law 25 sets age at 14.

PIPEDA currently has limited enforcement (no fines, only compliance agreements and Federal Court applications). Bill C-27 proposes penalties up to 5% of global revenue.

PHIPA (health in Ontario), FIPPA (public sector), bank and telecom regulations. CASL governs electronic marketing.

CASL requires consent for installing programs. PIPEDA consent requirements apply to cookie tracking. No specific cookie regulation.

Bill C-27 includes Artificial Intelligence and Data Act (AIDA). Directive on Automated Decision-Making applies to federal government. No current private sector AI law.

No general data localisation requirement. Provincial government data may have residency requirements.

No direct equivalent. PIPEDA applies to all commercial activities regardless of organisation size.

Federal Privacy Act governs government institutions. Access to Information Act provides transparency. PIPEDA covers private sector only.