After Bill C-27: PIPEDA, Quebec Law 25, and the Real Cost of Privacy Failure in Canada

For three years, the dominant story in Canadian privacy law was the federal one. Bill C-27, the Digital Charter Implementation Act, was on track to retire PIPEDA, replace it with the Consumer Privacy Protection Act, create a Personal Information and Data Protection Tribunal, and add Canada's first AI statute (AIDA) to the books. Law firms wrote thousands of pages on it. SaaS vendors built compliance roadmaps around it. Compliance directors briefed their boards on it.

That story ended on January 6, 2025. Parliament was prorogued, the bill died on the Order Paper, and a snap federal election followed in April 2025. As of May 2026, no replacement bill has been introduced under a confirmed number. Federal privacy modernization is stalled.

Canada has not stood still in the meantime. Quebec finished rolling out Law 25 in September 2024, with a CA$25 million or 4% of global revenue penal ceiling that puts the province in the same enforcement tier as GDPR. The Office of the Privacy Commissioner of Canada (OPC) still has no direct fining authority under PIPEDA. Class action settlements have crossed nine figures. The result is a patchwork that increasingly looks like one regime: Quebec is, in effect, Canada's de facto national privacy regulator.

This piece walks through what is verifiable in the public record. The federal timeline, the Quebec convergence with GDPR, the disclosed costs of Canadian privacy failure to date, and the short list of questions every Canadian privacy regulator has asked when reviewing a breach.

A timeline of Canada's hardening privacy regime

The seven-year arc from late 2018 through the start of 2025 was the most significant period of privacy law change in Canadian history. PIPEDA finally got mandatory breach reporting. Quebec wrote and rolled out a brand-new private sector privacy statute. The federal government drafted a near-total replacement of PIPEDA. By the time it ended, only Quebec had finished what it started.

The federal milestone was November 1, 2018, the date the breach reporting and record-keeping provisions of the Digital Privacy Act came into force. From that point forward, Canadian organizations subject to PIPEDA had to report any breach involving a real risk of significant harm to the OPC, notify affected individuals, keep records of every breach, and produce those records to the Commissioner on request. PIPEDA itself was not new. The reporting obligation was.

Quebec began its own rebuild a few years later. Phase 1 of Law 25 came into force on September 22, 2022, introducing the privacy officer designation, breach reporting obligations, and consent requirements for biometric data. Phase 2 followed on September 22, 2023, bringing privacy impact assessments, anonymisation rules, transparency and consent obligations, and the right to erasure. The penalty regime activated the same day. Phase 3 finished the rollout on September 22, 2024, adding data portability rights.

By the end of September 2024, Quebec had a fully operational, GDPR-aligned privacy regime with a public regulator (the Commission d'accès à l'information, or CAI) that can issue administrative monetary penalties directly. A few months later, the federal counterpart that was supposed to bring the rest of the country to a similar standard was dead.

The consistent thread across the seven-year arc is Quebec. Federal reform stalled twice, with Bill C-11 in 2021 and Bill C-27 in 2025. Quebec passed, implemented, and operationalized Law 25 within the same window.

Bill C-27 is dead. What does that mean federally?

Bill C-27 was the federal government's second attempt to overhaul Canadian private sector privacy law. It would have replaced PIPEDA's commercial provisions with three new statutes: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). The Library of Parliament's Legislative Summary is the cleanest single read on what it would have done.

The bill was introduced in June 2022, passed second reading in April 2023, and went into committee study at INDU. It was still in committee when Parliament was prorogued on January 6, 2025. LEGISinfo flags the file as historical, with the last committee meeting on September 26, 2024. The bill never reached Report stage, third reading, or any Senate stage. After prorogation it lapsed automatically.

A snap federal election followed in April 2025. The 2025 federal budget signalled a new privacy statute and a companion tribunal bill, but as of May 2026 neither has been introduced under a confirmed number. Statements from the Minister of Innovation, Science and Industry have indicated AI regulation will be split from privacy reform when the next attempt comes, meaning the AIDA component may not return at all in its previous form.

The practical effect today is straightforward. PIPEDA continues to govern federal private sector privacy. The OPC continues to investigate, publish findings, and refer matters to the Federal Court. Direct administrative penalties for federal privacy violations remain unavailable to any Canadian regulator outside Quebec.

Quebec now matches GDPR. Federal Canada doesn't.

The penalty gap between the federal regime and the Quebec regime is wider than most market commentary acknowledges.

Under PIPEDA, the OPC has no authority to impose administrative monetary penalties at all. The model is investigation, public report, and Federal Court referral. The maximum penalty available under PIPEDA itself, set out in section 28, is a fine of up to CA$100,000 on indictable conviction for narrow record-keeping and obstruction offences. In a quarter-century of PIPEDA enforcement, no organization has paid a fine remotely close to what privacy regulators in the EU, the UK, or Quebec can now order. That is not because Canadian companies are better behaved. It is because no federal Canadian regulator has the tools.

Quebec's Law 25 changed the calculation provincially. Under the Act respecting the protection of personal information in the private sector, the CAI can impose an administrative monetary penalty of up to the higher of CA$10 million or 2% of preceding fiscal year worldwide turnover (s. 90.12). Penal proceedings before a court can result in fines of up to the higher of CA$25 million or 4% of preceding fiscal year worldwide turnover (s. 91), with corporate minimums of CA$15,000 and a doubling of the maximum on subsequent offences. The penal regime is substantively identical in severity to Article 83(5) of the GDPR, which sets the upper administrative fine tier at €20 million or 4% of global annual turnover, whichever is higher.

Two implications follow. First, any Canadian organization that processes personal information of Quebec residents is now exposed to GDPR-tier penalties even if its head office is in Toronto, Vancouver, or Halifax. The Act's territorial reach turns on where the data subjects are, not where the controller is. Second, for any organization operating across Canada, the strictest applicable rule effectively becomes the operational floor. There is no rational reason to maintain a Quebec-specific privacy program and a separate, weaker federal one when the same data flows touch Quebec residents constantly.

That is what Quebec is now Canada's privacy regulator describes in practice. Not a constitutional reallocation. A center of gravity shift, driven by the only Canadian regulator with a credible enforcement ceiling.

What Canadian privacy failure has actually cost

Penalty ceilings only matter if regulators use them. So far in Canada, the bigger numbers in the public record have come from class actions and direct breach response costs, not from regulators. The disclosed costs of Canadian privacy failure track that pattern.

The Desjardins breach remains the largest disclosed loss tied to a Canadian privacy failure. An employee with access to personal information exfiltrated data on roughly 9.7 million members and clients over 26 months before being caught. Direct response costs (investigation, notification, credit monitoring, customer protection programs) reached approximately CA$108 million before any class action exposure. On June 14, 2022, the Quebec Superior Court approved a class action settlement of CA$200.85 million in Lambert v. Desjardins, the largest Canadian financial services privacy settlement to date.

The LifeLabs cyberattack in October 2019 affected approximately 8.6 million Canadians and exposed personal health information across Ontario, British Columbia, and other provinces. A joint investigation by the Information and Privacy Commissioners of Ontario and B.C. found that LifeLabs had failed to protect personal health information adequately under PHIPA and B.C.'s comparable statute. On October 25, 2023, the Ontario Superior Court approved a CA$9.8 million class action settlement, four years after the attack.

The October 2023 ransomware attack on TransForm Shared Service Organization, a shared IT vendor for five southwestern Ontario hospitals and a clinic, exposed approximately 516,000 patients and employees and kept most affected systems offline until February 2024. Disclosed direct recovery costs exceeded CA$7.5 million across the affected institutions. The IPC Ontario investigation reinforced a long-standing principle: health information custodians remain accountable for the protection of personal health information even when a third-party vendor is the breach vector.

The February 2023 ransomware attack on Indigo Books and Music disclosed approximately CA$5.2 million in direct response costs as of April 1, 2023, with additional costs continuing to accrue in subsequent quarters. Indigo's full-year financial disclosures attributed CA$26.5 million in fourth-quarter revenue decline and CA$49.6 million in annual net loss to the attack.

That asymmetry is unique to Canada and is partly an accident of the federal statute. It will start to shift as Quebec exercises its administrative monetary penalty authority over the next several years. CAI decisions and enforcement priorities will become a leading indicator of national privacy enforcement trajectory.

The cost gap between durable compliance and reactive compliance

The public breach record makes a structural point that gets lost in vendor marketing about ROI on compliance investment. Compliance is not primarily a cost center. It is a bounded, predictable expense that prevents an unbounded, unpredictable one.

Building an effective security program as the foundation, then mapping privacy and security frameworks onto it, is a discrete and bounded investment. Foundation work (gap assessment, policy build, control implementation, evidence wiring) typically falls in a CA$50,000 to CA$250,000 range for Canadian mid-market organizations. A GRC platform runs CA$15,000 to CA$100,000 annually depending on scale. Audit and certification activity adds CA$20,000 to CA$80,000 a year for SOC 2 or ISO 27001 cycles. Ongoing operations cost is predictable because the work is on cadence, not on crisis.

Compliance failure has none of those properties. Direct incident response on a serious breach starts in the seven-figure range and can run well into the eight figures. Class action exposure for breaches affecting hundreds of thousands or millions of Canadians is bounded only by the size of the affected population and the willingness of plaintiff counsel to certify the class. Quebec Law 25 fines of up to CA$25 million or 4% of global revenue add a regulatory ceiling that did not exist in Canada five years ago. Reputational repair is variable and often runs for years.

The companies that come through privacy failure intact are not the ones with the largest legal budgets. They are the ones whose privacy program was already running on cadence when the incident hit, who could produce dated evidence of reasonable safeguards, who reported promptly, and who responded proportionately. Programs run on cadence, not on intention. That is true for SOC 2, for ISO 27001, for PIPEDA, and for Law 25.

Three questions every Canadian privacy regulator asks

Across the OPC's published findings on Desjardins, LifeLabs, and the Canada Revenue Agency credential-stuffing incident, and across the CAI's public framework for administrative monetary penalties, the evaluative criteria converge on a short list. The questions are nominally different in each statute but operationally identical.

The first question is always whether reasonable safeguards were in place at the time of the breach. Both PIPEDA's safeguards principle and Law 25's security obligations are framed in terms of measures proportionate to the sensitivity of the personal information. Regulators look for evidence of a documented program, controls proportionate to data sensitivity, continuous monitoring, and risk assessments dated before the incident. A SOC 2 Type II report or an ISO 27001 certificate is not legally required for either regime. Both function as durable evidence that reasonable safeguards existed.

The second question is whether the breach was detected and reported in time. PIPEDA's standard is as soon as feasible, set out in section 10.1. Law 25's standard is with diligence, interpreted in practice as a 72-hour target consistent with GDPR. The breach record line by line matters: when did internal monitoring fire, when did external notification arrive, when was the real risk of significant harm assessment documented, and when was the Commissioner notified.

The third question is whether the response was proportionate. Notification quality, support for affected individuals (including credit monitoring and identity protection where relevant), cooperation with regulators, and remedial actions all factor in. Regulators distinguish between an organization that had a bad day and learned from it and one that exhibited a pattern of inadequate safeguards across multiple findings.

For organizations operating across Canada, the practical implication is that satisfying the strictest applicable regulator (currently the CAI on Law 25) tends to satisfy the rest. Building and operating against SOC 2, ISO 27001, or an equivalent program that has been mapped to Law 25 obligations produces evidence that holds up under any of the three questions in any Canadian jurisdiction.

Frequently asked questions

Is Bill C-27 coming back?

Not in its previous form. Bill C-27 died on the Order Paper when Parliament was prorogued on January 6, 2025, and a snap federal election followed in April 2025. The 2025 federal budget signalled a new privacy statute with a companion tribunal bill, and the Minister of Innovation, Science and Industry has publicly indicated that AI regulation will be split from privacy reform when the next attempt is introduced. As of May 2026, no replacement bill has been introduced under a confirmed number. The CPPA, the Personal Information and Data Protection Tribunal Act, and AIDA will need to be reintroduced as new legislation, with substantively different drafting in at least the AI component, before any of them become law.

Does PIPEDA actually have any teeth without C-27?

Limited teeth, by design. PIPEDA gives the Office of the Privacy Commissioner of Canada authority to investigate, publish findings, and apply to the Federal Court for enforcement, but no authority to impose administrative monetary penalties directly. The maximum fine under PIPEDA section 28 is CA$100,000 on indictable conviction, and only for narrow record-keeping or obstruction offences. The practical enforcement pressure on federally regulated organizations comes from three other places: OPC investigation findings that draw public and media attention, Federal Court referrals, and class action exposure. Quebec's CAI is the only Canadian privacy regulator with direct administrative monetary penalty authority at GDPR-tier ceilings.

My company is based in Ontario. Do I really need to worry about Quebec Law 25?

Yes, if you process personal information of Quebec residents. Law 25's territorial reach turns on where the data subjects are, not where the controller is headquartered. An Ontario business with Quebec customers, Quebec employees, or Quebec users sits inside the Act's scope and is exposed to administrative monetary penalties of up to CA$10 million or 2% of preceding fiscal year worldwide turnover under s. 90.12, and penal fines of up to CA$25 million or 4% under s. 91. For most pan-Canadian organizations, the rational operating posture is to design one program that satisfies Law 25 and let the federal regime sit underneath it, since Law 25 obligations are stricter on consent, breach reporting timelines, privacy impact assessments, and individual rights.

What is the difference between an administrative monetary penalty and a penal fine under Law 25?

Two separate enforcement tracks. Administrative monetary penalties under s. 90.12 are imposed directly by the Commission d'accès à l'information (CAI), Quebec's privacy regulator, with a ceiling of the higher of CA$10 million or 2% of preceding fiscal year worldwide turnover. They are administrative in character, do not require a court proceeding, and target a defined list of contraventions. Penal fines under s. 91 require penal proceedings before a court, carry a higher ceiling of the higher of CA$25 million or 4% of worldwide turnover, include a corporate minimum of CA$15,000, and double on subsequent offences. The CAI has a five-year limitation period to initiate penal proceedings. The two tracks are not mutually exclusive, and serious contraventions can attract both.

How do healthcare organizations handle privacy compliance in Canada when HIPAA does not apply?

Through a layered Canadian regime, not the US HIPAA framework. Personal health information in Canada is governed by PIPEDA at the federal level for commercial activity, by provincial health-sector statutes such as Ontario's Personal Health Information Protection Act (PHIPA) where one applies, and by Quebec's Law 25 for any data subjects in Quebec. Health information custodians remain accountable for personal health information even when a third-party vendor processes or stores it, a principle reinforced by the IPC Ontario investigation into the LifeLabs and TransForm incidents. A Canadian healthcare organization typically needs to satisfy PIPEDA, the relevant provincial health act, and Law 25 if Quebec residents are in scope, building one effective security program and mapping all three regimes onto it.

If I already have SOC 2 or ISO 27001, am I covered for Quebec Law 25?

Partially. SOC 2 and ISO 27001 give you durable evidence of reasonable safeguards, which addresses the security limb of Law 25 and the safeguards principle of PIPEDA. They do not, on their own, satisfy Law 25's specific obligations on consent, transparency, privacy impact assessments, breach reporting timelines, the right to erasure, data portability, or the privacy officer designation. The Osler analysis of Law 25 sets out these obligations explicitly. The most efficient path for organizations with an existing SOC 2 or ISO 27001 program is to map Law 25 obligations onto the existing control set, close the privacy-specific gaps, and add Law 25 as a compliance overlay rather than a parallel program.

What is the OPC's current enforcement model under PIPEDA?

Investigation, public finding, and Federal Court referral. The OPC's published guidance sets out the breach notification expectations: report any breach involving a real risk of significant harm, notify affected individuals, keep records of every breach, and produce them on request. When the Commissioner concludes that an organization has contravened PIPEDA, the typical outputs are a published Report of Findings and, in unresolved cases, an application to the Federal Court for a hearing de novo. The OPC has no authority to impose administrative monetary penalties under PIPEDA. That gap was the central design feature of the now-dead Bill C-27, and it remains the gap until federal privacy reform is reintroduced and passed.

Further reading

• Law 25 compliance checklist for Quebec privacy obligations
• SOC 2 consultants serving Canadian organizations
• The Canadian ransomware paradox: 88% don't pay, but 74% who do paid more than $25K
• ISO 27001 readiness scorecard
• CPCSC Level 1 readiness scorecard for Canadian defence supply chain
• Effective security as the foundation, frameworks as lenses

Sources and methodology

This piece relies on primary sources where they exist (Canadian legislation, Canada Gazette publications, Library of Parliament research, court records, and regulator publications) and on reputable Canadian law firm analyses where they offer the cleanest read on technical statutory provisions. Cost figures are drawn from disclosed corporate financial statements, court-approved class action settlements, and regulator findings.

Federal regime

• Order Fixing November 1, 2018 as the Day on which Certain Provisions of the Act Come into Force, SI/2018-32, Canada Gazette Part II: https://gazette.gc.ca/rp-pr/p2/2018/2018-04-18/html/si-tr32-eng.html
• Office of the Privacy Commissioner of Canada, breach response guidance: https://www.priv.gc.ca/en/privacy-topics/business-privacy/breaches-and-safeguards/privacy-breaches-at-your-business/gd_pb_201810/
• LEGISinfo, Bill C-27 (44-1), Digital Charter Implementation Act, 2022: https://www.parl.ca/legisinfo/en/bill/44-1/c-27
• Library of Parliament, Legislative Summary of Bill C-27: https://lop.parl.ca/sites/PublicWebsite/default/en_CA/ResearchPublications/LegislativeSummaries/441C27E

Quebec regime

• Osler analysis of Quebec Law 25 enforcement scheme (s. 90.12 administrative monetary penalty, s. 91 penal fine): https://www.osler.com/en/insights/blogs/risk/law-25-a-new-enforcement-scheme-for-protection-of-personal-information-in-the-private-sector-in-que/
• McCarthy Tetrault analysis of Phase 2 Law 25 obligations effective September 2023: https://www.mccarthy.ca/en/insights/blogs/techlex/quebec-law-25-update-latest-obligations-effective-september-2023

EU comparison

• GDPR Article 83(5), administrative fine maximum tier: https://gdpr-info.eu/art-83-gdpr/

Canadian breach cases

• Desjardins privacy breach settlement, Quebec Superior Court approval, June 14, 2022: https://www.desjardins.com/en/news/privacy-breach-settlement-agreement.html
• LifeLabs class action settlement, Ontario Superior Court approval, October 25, 2023: https://lifelabssettlement.kpmg.ca/
• IPC Ontario, custodians must ensure PHI protected even when using third-party providers (TransForm investigation): https://www.ipc.on.ca/en/cases-of-note/custodians-must-ensure-phi-protected-even-when-using-third-party-providers
• Indigo Books and Music, Q4 FY2023 financial disclosures (direct breach costs and revenue impact)

Methodology note on cost ranges: The compliance investment ranges in the cost gap section are drawn from Truvo Cyber's engagement patterns with Canadian mid-market organizations. They are not survey data. Specific organization costs vary materially with scope, system count, existing maturity, and audit body selection.