Canadian privacy 2026: PIPEDA still governs; Bill C-27 died on the Order Paper Jan 6, 2025 — no fines, only findings

Claim: PIPEDA applies to any private-sector organization in Canada engaged in commercial activity using personal information. Max fine: $100,000 per knowing violation.

Source: Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/

The Bill C-27 update (important — supersedes earlier expectations):

Bill C-27 (Consumer Privacy Protection Act) died on the Order Paper on January 6, 2025, when Parliament was prorogued.

In June 2025, Minister Evan Solomon confirmed it "will not return in its old form." As of May 2026, Canada remains governed by PIPEDA — no monetary fines under the current regime, only findings, recommendations, and compliance agreements.

Confidence: Verified (Fasken legal analysis Jan 2025; OPC enforcement record consistent).

Ontario-specific: Ontario does NOT have a private-sector privacy law deemed substantially similar to PIPEDA, so PIPEDA applies to most commercial activity by Ontario service businesses. PHIPA (Personal Health Information Protection Act) governs Ontario healthcare providers separately.

Why this matters for the data-ownership thesis: owning structured data is easier for PIPEDA compliance, not harder — you can't honour an access request you can't fulfill from spreadsheets scattered across five clouds. See OPC vs Brinks Home (PIPEDA Findings #2024-002, Mar 28 2024): inadequate safeguards left customer data accessible for 10 weeks for the canonical Canadian enforcement case study.