How it fits
Federal vs provincial: which privacy law applies?
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
Canada does not have a single privacy law. It has a layered system, and the first job for any organization is to work out which layer applies — because the answer changes your obligations. This page maps the layers and gives you a decision path.
Layer 1: the federal baseline — PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs the private sector's handling of personal information in the course of commercial activity. You can read it at the Department of Justice: laws-lois.justice.gc.ca/eng/acts/P-8.6. Crucially, PIPEDA always governs personal information that crosses a provincial or national border in commerce — even into or out of provinces with their own laws. It also governs employee data in federally regulated workplaces. See does PIPEDA apply to your organization? for the full scope test.
Layer 2: substantially-similar provincial laws
PIPEDA allows the federal government to step back where a province has enacted a private-sector privacy law declared substantially similar. Three provinces have done so:
- Quebec — the Private Sector Act, as amended by Law 25 (the most demanding regime in Canada)
- British Columbia — PIPA
- Alberta — PIPA
Within those provinces, the provincial law governs activity that stays inside the province; PIPEDA still governs anything that leaves it. Everywhere else in Canada — Ontario, the other provinces, and the territories — there is no general private-sector law, so PIPEDA applies directly.
Layer 3: health information
Health information is usually carved out into a dedicated provincial statute, like Ontario's PHIPA. Several health laws have been declared substantially similar to PIPEDA for health information custodians. Our roundup of provincial health privacy laws links the statute for every province.
Layer 4: the public sector
None of the above covers government. Federal institutions are governed by the federal Privacy Act, and each province and territory has its own public-sector access-and-privacy law (commonly a FOIP or FIPPA statute) for provincial bodies. If you are a vendor to government, those laws shape the contractual privacy terms you will be asked to meet, even though the general private-sector law still governs you as an organization.
A decision path
- Are you a government institution? If federal, the Privacy Act governs; if provincial, your province's public-sector law does.
- Is the information health information held by a custodian? The provincial health statute likely governs.
- Is the activity entirely within Quebec, BC, or Alberta? The provincial private-sector law governs that activity.
- Does the information cross a provincial or national border, or are you in any other province? PIPEDA governs.
- Operating nationally? Expect overlap — map each activity to its layer rather than assuming one law covers everything.
When a buyer tests your compliance with a questionnaire built on these laws, our Canadian privacy questionnaire guide shows how to answer, and the privacy-law hub links every statute in one place.
Common questions.
Does federal or provincial privacy law apply to my business?
Often both, for different activities. PIPEDA is the federal baseline and always governs personal information that crosses a provincial or national border in the course of commercial activity. Within Quebec, British Columbia, or Alberta, the province's own substantially-similar private-sector law governs activity that stays inside the province. Elsewhere, PIPEDA applies directly. Health information and federal-government data are governed by separate statutes again.
What does 'substantially similar' mean?
PIPEDA lets the federal government exempt organizations from the federal law for intra-provincial activity when a province has enacted private-sector privacy legislation declared 'substantially similar' to PIPEDA. Quebec, British Columbia, and Alberta have such laws. The effect is that, within those provinces, the provincial law does the work PIPEDA would otherwise do — but PIPEDA still covers anything crossing the border.
Which privacy law covers health information?
Health information is usually governed by a dedicated provincial health-privacy statute rather than the general private-sector law — for example Ontario's PHIPA, Alberta's HIA, or Saskatchewan's HIPA. Several of these have been declared substantially similar to PIPEDA for health information custodians. Where no such law applies, PIPEDA can govern health information handled in commercial activity.
Are employee records covered by federal or provincial law?
It depends on the employer. PIPEDA covers employee personal information only in federally regulated workplaces (banks, telecommunications, airlines, inter-provincial transport, and similar). For most other employers, employee data is covered by provincial private-sector law where one exists — Alberta, BC, and Quebec each address employee information — and otherwise may fall outside general privacy legislation.