Federal privacy law with real enforcement — but Canada is a Five Eyes member and shares intelligence with the US, UK, Australia, and New Zealand.
PIPEDA protects personal information held by private-sector organisations in Canada, with the Privacy Commissioner investigating complaints — but Canada's signals intelligence agency (CSE) participates in Five Eyes mass surveillance.
PIPEDA (2000) requires consent for data collection, limits use to stated purposes, gives individuals access rights, and requires adequate security. The Office of the Privacy Commissioner (OPC) investigates complaints and publishes findings — but has limited enforcement power: it cannot fine companies directly. The OPC can refer matters to Federal Court for orders and damages. Quebec, British Columbia, and Alberta have their own substantially similar privacy laws. A proposed replacement (Bill C-27/Consumer Privacy Protection Act) would add fines of up to 5% of global revenue, but has stalled in Parliament.
Canada is a founding member of the Five Eyes intelligence alliance (with the US, UK, Australia, New Zealand). The Communications Security Establishment (CSE) is Canada's signals intelligence agency — equivalent to the NSA. Under Five Eyes, partner nations can collect intelligence on each other's citizens and share it back, circumventing domestic legal restrictions. Snowden documents revealed CSE operates mass metadata collection programmes and has intercepted Canadian communications despite legal prohibitions, by collecting 'inadvertently' during foreign-focused operations.
CSE conducts signals intelligence (SIGINT), cyber security, and 'active cyber operations' (offensive hacking). The CSE Act (2019) gave it expanded powers including 'defensive' and 'active' cyber operations abroad. CSE operates a metadata programme that collected millions of Canadian emails between 2004 and 2014. A 2016 Federal Court ruling found CSE had illegally retained metadata for 10+ years. Rather than face consequences, the government passed new legislation (Bill C-59) legalising the collection.
Canadian companies (Shopify, BlackBerry, 1Password, OpenText) operate under PIPEDA — real consumer protection. But the Five Eyes backdoor means that data accessible to Canadian authorities is potentially shared with US/UK/AU/NZ intelligence. The Privacy Commissioner cannot investigate CSE. National security investigations are exempt from PIPEDA. A Canadian company can protect your data from corporate misuse but cannot prevent intelligence agency access via legal channels.