PIPEDA Enforcement: Complaints, Investigations and Court Remedies Under Canadian Privacy Law

PIPEDA gives the Office of the Privacy Commissioner of Canada (OPC) broad investigative powers but no authority to impose fines on its own. That single fact shapes the entire enforcement landscape. Unlike the GDPR's supervisory authorities, which can issue binding orders and multi-million-euro penalties, the OPC operates as an ombudsman - investigating complaints, publishing findings, and recommending corrective action. When an organisation refuses to cooperate, the matter escalates to the Federal Court, which can order compliance and award damages.

This model has drawn criticism for lacking teeth. The PIPEDA enforcement framework, set out in Division 2 (Sections 11-17.2) of the Act, relies heavily on cooperation between the regulator and respondent organisations. For website owners collecting personal data from Canadian visitors - through cookies, analytics tools, or account registration - understanding how this system works in practice matters more than memorising fine amounts.

How the OPC Complaint Process Works

Enforcement under PIPEDA is primarily complaint-driven. An individual who believes their privacy rights have been violated files a written complaint with the OPC under Section 11(1). The Commissioner can also initiate complaints independently under Section 11(2) when satisfied there are reasonable grounds to investigate - a power used in high-profile cases such as the joint investigation into 23andMe's 2023 data breach, announced in June 2024.

Once a complaint is accepted, the OPC notifies the respondent organisation and begins its investigation. Complaints arising from a refused access request must be filed within six months of the refusal, though the Commissioner has discretion to extend this period.

The OPC follows a calibrated approach. Not every complaint triggers a full investigation. Early resolution is attempted wherever possible - a voluntary, informal process where the OPC works with both parties to address the issue without formal findings. According to the OPC's 2024-2025 Annual Report, the office resolves hundreds of PIPEDA complaints each year through this early-stage process.

Investigation Powers Under Section 12.1

When early resolution fails or the complaint raises significant issues, the OPC launches a formal investigation. Section 12.1 grants the Commissioner powers equivalent to those of a superior court of record. These include the ability to summon witnesses and compel testimony under oath, enter business premises (excluding dwellings) during reasonable hours, examine and copy relevant records, and conduct private interviews with staff on-site.

The Commissioner may also attempt to resolve complaints through mediation or conciliation at any stage. These dispute resolution mechanisms sit alongside - not instead of - the formal investigative process.

There are circumstances where the OPC may decline to investigate. Under Section 12(1), the Commissioner can refuse if the complainant has not exhausted other available grievance procedures, if another federal or provincial mechanism would be more appropriate, or if the complaint was not filed within a reasonable period. The OPC can also discontinue an ongoing investigation under Section 12.2 for reasons including insufficient evidence, trivial or vexatious complaints, or because the organisation has already provided a fair response.

The Commissioner's Report: Findings Without Binding Force

Within one year of receiving a complaint, the Commissioner must prepare a report under Section 13. This report contains findings, recommendations, any settlement reached, and information about the complainant's right to apply to the Federal Court. The report goes to both the complainant and the respondent organisation.

Here is the critical point: the Commissioner's findings are not legally binding. The OPC cannot order an organisation to change its practices, pay compensation, or face a penalty. It can only recommend. This is the fundamental structural limitation of PIPEDA enforcement, and it distinguishes the regime sharply from the GDPR, where supervisory authorities issue binding decisions backed by substantial fines.

The OPC uses a defined set of terms when reporting findings. A complaint may be found "well-founded" (the organisation violated PIPEDA), "well-founded and resolved" (violation occurred but corrective action was taken), "not well-founded" (no violation), or "settled during the course of the investigation." These published findings name the respondent organisation only when the Commissioner deems it in the public interest.

Compliance Agreements Under Section 17.1

Introduced through the Digital Privacy Act (2015), compliance agreements give the OPC a tool that sits between informal recommendations and court action. Under Section 17.1, the Commissioner can enter into a compliance agreement with an organisation if there are reasonable grounds to believe a contravention has occurred, is about to occur, or is likely to occur.

The terms of a compliance agreement are flexible - the Commissioner can include any conditions considered necessary to bring the organisation into compliance. While an agreement is in effect, the Commissioner cannot apply to the Federal Court on the same matter. However, a compliance agreement does not prevent the affected individual from pursuing their own court application, nor does it bar criminal prosecution.

If the organisation complies with the agreement, the Commissioner issues written confirmation and withdraws any pending court applications. If the organisation fails to comply, Section 17.2 allows the Commissioner to apply to the Federal Court for an order enforcing the agreement's terms or to initiate a full court hearing.

Federal Court Remedies: Where Enforcement Gets Real

The Federal Court is the enforcement backstop of the PIPEDA system. Under Section 14, a complainant may apply to the Court for a hearing after receiving the Commissioner's report (or after being notified that an investigation has been discontinued). The application must be made within one year, though the Court may extend this period.

The Court hearing is de novo - it starts from scratch rather than reviewing the OPC's findings. The complainant must convince the Court independently that PIPEDA was violated. Section 16 grants the Court broad remedial powers, including the ability to order an organisation to correct its practices, to publish a notice of corrective actions taken, and to award damages - including damages for humiliation.

The Commissioner can also participate in court proceedings under Section 15 - applying to the Court with the complainant's consent, appearing on behalf of the complainant, or intervening as a party with the Court's leave.

Damage Awards in Practice

Federal Court damage awards under PIPEDA have historically been modest but are trending upward. In Nammo v. TransUnion, the Court awarded $5,000 in damages for reliance on inaccurate credit information - the first monetary award under PIPEDA. The landmark Chitraker v. Bell TV (2013) saw $21,000 awarded, including $10,000 in exemplary damages - a significant increase that the Court justified partly by the size of the defendant organisation and its failure to cooperate with the investigation.

The Court in Chitraker established that actual financial harm is not required for a damage award. Damages under Section 16(c) serve three purposes: compensation, vindication of rights, and deterrence. An organisation's conduct after a breach - whether it cooperates, apologises, and takes remedial steps - directly influences the quantum of damages.

Class actions add another dimension. In Haikola v. The Personal Insurance Company (2019), the Ontario Superior Court approved a $2.25 million class action settlement involving an insurer's practice of running credit checks on accident benefit claimants. The Court observed that PIPEDA's individual complaint mechanism was not designed to provide remedies for systemic breaches, making class proceedings an important enforcement tool.

Criminal Offences and Fines Under Section 28

PIPEDA does include criminal penalties, though they apply to a narrow set of violations. Section 28 makes it an offence to knowingly contravene the breach notification and record-keeping requirements (Sections 10.1 and 10.3), to obstruct the Commissioner during an investigation or audit, or to destroy personal information after receiving an access request while it is still needed for the individual to exhaust their recourse.

The penalties are:

The government has stated that the $100,000 maximum applies per individual not notified - meaning a breach affecting thousands of people could theoretically generate enormous aggregate liability. In practice, criminal prosecution under Section 28 is rare. The OPC refers potential offences to the Attorney General of Canada, who decides whether to prosecute. The enforcement system relies far more heavily on the complaint-investigation-court pathway.

Recent Enforcement Trends: What the OPC Is Prioritising

The OPC published findings in several significant cases in 2024 and 2025 that illustrate current enforcement priorities. The joint OPC-ICO investigation into 23andMe (PIPEDA Findings #2025-001) found that the company had inadequate security safeguards and deficient breach notification processes. The investigation spanned two jurisdictions and demonstrated the OPC's growing use of international cooperation under Section 23.1 of PIPEDA.

The Google de-listing case (PIPEDA Findings #2025-002) explored whether PIPEDA includes a right to de-listing - the ability to have search results removed. After a jurisdictional battle that reached the Federal Court of Appeal, the OPC found that Google's continued display of outdated criminal charge articles was inconsistent with Section 5(3), which requires that personal information be collected, used, or disclosed only for appropriate purposes. Google refused to comply, leaving the complaint well-founded but unresolved.

The OPC's enforcement focus areas currently include data breaches involving compromised credentials and phishing, consent failures - particularly around analytics and behavioural advertising cookies, cross-border data transfers, and the privacy implications of artificial intelligence. According to the OPC's 2024-2025 Annual Report, 43% of Canadians surveyed said they had been affected by a privacy breach, and breach reporting volumes remained high.

How This Differs From GDPR Enforcement

For organisations that operate across both Canadian and European markets, the structural differences between PIPEDA and GDPR enforcement are significant.

The key practical difference: under the GDPR, a data protection authority can investigate and penalise without court involvement. Under PIPEDA, the entire enforcement chain - from complaint to binding order - requires either voluntary cooperation or a trip to the Federal Court. This makes the process slower but also gives respondent organisations more procedural opportunities to resolve issues before facing formal sanctions.

What Website Owners Should Do

Cookie consent and analytics tracking are increasingly within the OPC's enforcement scope. The OPC's policy position on online behavioural advertising treats browsing data collected for profiling purposes as personal information under PIPEDA, and its guidelines state that tracking techniques offering no mechanism for user control should not be used because they cannot comply with consent requirements.

For website owners serving Canadian visitors, practical steps include auditing your cookie categories and ensuring that analytics and marketing cookies do not fire before meaningful consent is obtained. Run a scan with a consent management platform to identify all cookies and third-party scripts operating on your site. Maintain a documented process for handling privacy complaints - PIPEDA Principle 4.10 (Schedule 1) requires organisations to have procedures for receiving and responding to complaints. Keep records of all data breaches for at least 24 months, as required by Section 10.3, and report any breach posing a real risk of significant harm to the OPC.

If an investigation does land on your desk, cooperate fully and promptly. The case law is clear that organisations which drag their feet, provide inadequate information, or fail to implement the Commissioner's recommendations face harsher outcomes at every stage - from the tone of published findings to the quantum of damages in Federal Court.

The Future: Bill C-27 Died, But Reform Is Coming

Bill C-27, which would have replaced PIPEDA with the Consumer Privacy Protection Act (CPPA), died on the order paper when Parliament was prorogued in January 2025. A snap federal election in April 2025 pushed reform further down the road. As of early 2026, PIPEDA remains Canada's federal private-sector privacy law. The new government has signalled that a replacement statute is expected to be introduced, potentially with fines of up to CAD $25 million or 5% of global revenue - a dramatic increase from the current $100,000 cap. The OPC has publicly advocated for order-making powers and a penalty-based enforcement regime to bring Canada closer to international standards set by the GDPR and Quebec's Law 25.

Until new legislation passes, the existing enforcement framework remains in force. Organisations that build compliance processes around the stricter standards of the UK GDPR, the LGPD, or Quebec's provincial law will be well-positioned for whatever Ottawa delivers next.

Frequently Asked Questions