Canada

What happens if a company has a data breach that exposes my personal information?

72 hours
Report deadline
Real risk
Harm threshold
PIPEDA
Governing law
Federal
Jurisdiction level
The Short Answer

If a company in Canada suffers a data breach exposing your personal information, it must report the breach to the Office of the Privacy Commissioner of Canada and notify you if there's a real risk of significant harm.

What the Law Says

Canada’s federal private-sector privacy law requires organizations to take specific steps when a data breach occurs.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must report breaches of security safeguards involving personal information to the Privacy Commissioner of Canada. They must also notify affected individuals — but only if the breach creates a 'real risk of significant harm' to them.

The law defines 'significant harm' broadly: it includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records, and damage to or loss of property.

Organizations must keep records of every breach — even those not reported — for at least 24 months. These records help the Privacy Commissioner assess compliance.

Statutory Text

Organizations must report breaches of security safeguards to the Privacy Commissioner and notify affected individuals.

Personal Information Protection and Electronic Documents Act s. 10: Breach notification — S.C. 2000, c. 5

What to Do

1

Check if the company notified you — they must do so as soon as feasible if there’s a real risk of significant harm.

2

Review the notice for details: what information was exposed, what the company is doing to reduce harm, and steps you can take (e.g., monitoring accounts, placing fraud alerts).

3

Contact the company’s privacy officer with questions or concerns.

4

File a complaint with the Office of the Privacy Commissioner of Canada if you believe the company failed to comply — no fee and no lawyer required.

5

Consider freezing your credit or setting up fraud alerts with Canadian credit bureaus (Equifax Canada and TransUnion Canada).

Sources

statutePersonal Information Protection and Electronic Documents Act, s. 10 — Breach notification

Same Question, Other Jurisdictions

AustraliaIrelandSingaporeEuropean UnionIndiaSouth KoreaUKUS-CaliforniaUS-New YorkCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.