ClearBreach
Get early access

← News & updates

April 17, 2026

OPCPIPEDAEnforcement

OPC Enforcement Trends: What Canadian SMEs Need to Know in 2026

The Office of the Privacy Commissioner of Canada is increasing enforcement activity under PIPEDA. Here is what has changed and what it means for your breach reporting obligations.

Enforcement activity is increasing

The Office of the Privacy Commissioner of Canada (OPC) has significantly increased its enforcement activity under PIPEDA following updates to the Breach of Security Safeguards Regulations. Organizations that fail to report breaches — or that report late — are facing formal findings and public reports.

For Canadian SMEs, this shift matters. The OPC has historically focused enforcement on larger organizations, but recent guidance signals a broader mandate to investigate complaints from individuals whose organizations failed to notify them of breaches.

What has changed

Breach report volume is up. The OPC received a record number of breach reports in 2024–2025. The increase reflects both growing enforcement awareness among organizations and an increase in actual breach incidents, particularly ransomware.

Timeliness expectations are tightening. The OPC's interpretation of "as soon as feasible" under PIPEDA has shifted. Organizations that took weeks to report are increasingly subject to follow-up inquiries. The practical expectation is days, not weeks, from the determination that RROSH is present.

Individual notification gaps are being scrutinized. The OPC has found in several recent investigations that organizations reported to the OPC but failed to notify affected individuals — or notified them in a form that did not meet the regulatory standard. Both obligations must be met.

What this means for Alberta and BC organizations

Alberta and BC organizations face an additional layer of complexity: Alberta PIPA mandatory reporting and BC PIPA voluntary reporting (with mandatory reporting expected to come into force when legislation is enacted).

For Alberta organizations, the OIPC Alberta has reinforced its expectation that individual notification occur simultaneously with or before regulatory reporting. The April 2024 streamlined review process offers a private closing letter to organizations that comply with this requirement.

Practical steps for SMEs

  1. Have a breach response plan before you need it. Knowing your reporting workflow in advance reduces the time between discovery and action.

  2. Assess RROSH promptly. Do not wait for complete forensic information. Assess on the best available information and update the assessment if new facts emerge.

  3. Document everything. The OPC and OIPC Alberta both require retention of internal incident records. PIPEDA requires retention for 24 months minimum.

  4. Know your jurisdictions. If your organization operates across provinces, you may have obligations under PIPEDA and one or more provincial statutes simultaneously.

Upcoming: Bill C-27 and privacy law modernization

The federal government's proposed Consumer Privacy Protection Act (CPPA) under Bill C-27 would replace PIPEDA with significantly stronger enforcement powers — including fines of up to 5% of global revenue for serious violations.

As of April 2026, Bill C-27 has not yet received Royal Assent. ClearBreach will update its rules engine to reflect CPPA obligations when the legislation comes into force.

ClearBreach covers PIPEDA, Alberta PIPA, and BC PIPA. Quebec Law 25 and Ontario PHIPA are outside our scope. If your organization operates in Quebec, engage Quebec-specific privacy counsel.

This article is for general informational purposes only and does not constitute legal advice. Confirm current regulatory requirements at priv.gc.ca, oipc.ab.ca, and oipc.bc.ca.

← More news & updates