As data breaches become more frequent and alarming, many Canadians are asking a simple question: If my data is compromised, does the company have to tell me? The answer, under Canadian and Ontario privacy laws, is generally yes—but with significant caveats.
In both federal and provincial jurisdictions, companies and institutions are required to safeguard the personal information they collect. And when that data is compromised in a breach, they are expected—though not always strictly required—to notify affected individuals if there is a “real risk of significant harm.”
Under Ontario law, the Freedom of Information and Protection of Privacy Act (FIPPA) now mandates that as of July 1, 2025, provincial institutions such as ministries, colleges, hospitals, and universities must report breaches to the Information and Privacy Commissioner (IPC) and notify affected individuals “as soon as feasible” if a real risk is determined.
However, the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), which governs municipal institutions like local governments and school boards, does not require mandatory breach notification—though the IPC strongly encourages it for transparency and harm mitigation.
Federally, private companies operating under the Personal Information Protection and Electronic Documents Act (PIPEDA) are also required to notify individuals of a breach that creates a real risk of significant harm. But again, there is no hard timeline—only a vague requirement to inform people “as soon as feasible.”
This lack of urgency contrasts sharply with Europe’s General Data Protection Regulation (GDPR), which imposes a strict 72-hour breach notification rule. Canada attempted to modernize its own breach notification rules through Bill C-27, but the legislation died in January 2025 when Parliament dissolved for elections.
A new attempt—Bill C-8, introduced in June 2025—proposes a 72-hour notification rule, but only for critical infrastructure operators under federal jurisdiction, such as telecom companies, nuclear energy systems, and banks.
Beyond breach notifications, Canadian privacy law also lags behind Europe when it comes to the “right to be forgotten”—the ability to delete one’s personal data or request its removal from search results. PIPEDA contains no such provision, although Privacy Commissioner Philippe Dufresne has recommended that any future legislation include this right.
Privacy advocates argue that without stronger enforcement powers and clear deadlines, these rules lack real teeth. Toronto-based privacy lawyer Neil Hartung said timelines alone won’t solve the issue: “You can have all the fancy rules you want, but if no one is enforcing them, they’re not going to be followed.”
As Canadians continue to entrust sensitive data to corporations and government institutions, the calls for stronger privacy protections—and actual accountability—are only growing louder.