PIPEDA and LGPD — Canadian and Brazilian Privacy Laws¶
Scope¶
This page covers two non-EU privacy regimes that frequently surface in cross-border engagements when GDPR coverage is the starting assumption but the actual jurisdiction is different: PIPEDA (the Canadian Personal Information Protection and Electronic Documents Act, in force since 2000 with substantial amendments under Bill C-27 still pending as of late 2025) and LGPD (the Brazilian Lei Geral de Proteção de Dados, in force since September 2020). Both are GDPR-influenced but have important differences from GDPR and from each other. Covers each law's applicability, the rights granted to data subjects, the obligations on controllers and processors, the cross-border transfer rules, the breach notification requirements, the cloud-relevant practical implementation patterns, and the relationship to GDPR for organizations that already handle GDPR compliance.
PIPEDA (Canada)¶
Applicability¶
PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. It applies federally and in provinces without substantially similar legislation. Quebec, BC, and Alberta have their own provincial laws (PIPA and Quebec's Law 25) that supersede PIPEDA for organizations operating only within those provinces.
PIPEDA also applies to federally regulated private-sector organizations (banks, telecommunications companies, airlines, broadcasters) regardless of province.
For an international organization with Canadian customers or Canadian operations, PIPEDA almost certainly applies — there is no minimum size threshold, and the "commercial activities" criterion is broadly interpreted.
The 10 Fair Information Principles¶
PIPEDA is built around 10 principles drawn from the OECD privacy guidelines:
- Accountability — the organization is responsible for personal information under its control
- Identifying purposes — purposes for collection must be identified before or at collection
- Consent — knowledge and consent of the individual are required
- Limiting collection — collection is limited to what is necessary for the identified purposes
- Limiting use, disclosure, and retention — use only for the identified purposes; retain only as long as necessary
- Accuracy — personal information should be accurate, complete, and up-to-date
- Safeguards — protect personal information appropriate to its sensitivity
- Openness — make policies and practices regarding personal information available
- Individual access — individuals can access and correct their personal information
- Challenging compliance — individuals can challenge an organization's compliance
The principles are operationalized through written policies, training, and technical controls. PIPEDA does not prescribe specific technical safeguards (unlike GLBA's Safeguards Rule), but expects them to be commensurate with the sensitivity of the information.
Breach Notification¶
PIPEDA requires notification of breaches that pose a real risk of significant harm (RROSH) to:
- The Office of the Privacy Commissioner of Canada (OPC) — as soon as feasible
- Affected individuals — as soon as feasible after the determination of RROSH
- Other organizations that may be able to mitigate the harm
The "real risk of significant harm" threshold means not every breach triggers notification — only those where the harm is meaningful (financial loss, identity theft, damage to reputation, loss of employment, negative effect on credit). The organization must conduct a risk assessment and document the result.
Cross-Border Transfers¶
PIPEDA does not have explicit cross-border restrictions like GDPR's Chapter V. The Office of the Privacy Commissioner has issued guidance that:
- Personal information transferred to a third party (including a foreign one) for processing remains the responsibility of the original organization
- The original organization must ensure comparable protection by the third party (typically via contract)
- Individuals should be informed that their information may be transferred for processing
The practical effect is that an organization can transfer Canadian personal information to a US-based cloud provider for processing as long as it has a contract with the provider that provides comparable protection. This is a much simpler regime than GDPR's adequacy / SCC / BCR framework.
Bill C-27 (pending)¶
Bill C-27, the Digital Charter Implementation Act, is pending in the Canadian Parliament as of late 2025. If enacted, it will:
- Replace PIPEDA with a more GDPR-aligned Consumer Privacy Protection Act (CPPA)
- Add monetary penalties (up to $25M CAD or 5% of global revenue for serious violations)
- Add a private right of action
- Strengthen the OPC's enforcement powers
- Add the Artificial Intelligence and Data Act (AIDA) for AI governance
The exact form of the final legislation has been in flux. Organizations subject to PIPEDA should monitor the C-27 status and prepare for the additional obligations, particularly the monetary penalty regime.
LGPD (Brazil)¶
Applicability¶
LGPD applies to any processing of personal data:
- Carried out within Brazilian territory
- For the purpose of offering or providing goods or services to individuals in Brazil
- Of personal data collected in Brazil
This is a broad extraterritorial scope similar to GDPR. An organization based outside Brazil but with Brazilian customers is subject to LGPD.
LGPD applies to natural persons and legal entities that process personal data, with an exception for processing for personal, journalistic, artistic, academic, or strictly defensive purposes.
Legal Bases for Processing¶
LGPD lists 10 legal bases for processing personal data — broader than GDPR's 6 bases:
- Consent of the data subject
- Compliance with a legal obligation of the controller
- Public administration for the execution of public policies
- Studies by a research entity (with anonymization where possible)
- Execution of a contract or preliminary procedures related to a contract
- Regular exercise of rights in legal, administrative, or arbitration proceedings
- Protection of life or physical safety of the data subject or third party
- Health protection in procedures performed by health professionals
- Legitimate interests of the controller or third party (subject to balancing test)
- Credit protection
The "credit protection" basis is unique to LGPD and reflects the importance of credit reporting in the Brazilian financial system.
Data Subject Rights¶
LGPD grants data subjects rights similar to GDPR:
- Confirmation that data is being processed
- Access to the data
- Correction of inaccurate or incomplete data
- Anonymization, blocking, or deletion of unnecessary or non-compliant data
- Portability of the data to another service or product provider
- Deletion of data processed with consent (with some exceptions)
- Information about public and private entities with which the data has been shared
- Information about the possibility of denying consent and the consequences
- Revocation of consent
Cross-Border Transfers¶
LGPD restricts international transfers of personal data, with several mechanisms allowed:
- Adequacy decision by the Brazilian National Data Protection Authority (ANPD) — similar to GDPR adequacy
- Specific safeguards — standard contractual clauses, binding corporate rules, certifications, or codes of conduct (not yet published by the ANPD as of late 2025)
- Consent of the data subject
- Necessity for contract execution with the data subject
- Necessity for life or physical safety protection
- International cooperation between public bodies
- Specific authorization from the ANPD
The mechanism most commonly used in practice is standard contractual clauses, even though the ANPD has not yet finalized the model clauses — most organizations use clauses that mirror GDPR SCCs.
Breach Notification¶
LGPD requires notification of breaches that pose risk or relevant damage to data subjects:
- To the ANPD — within a "reasonable" timeframe (the ANPD has indicated 2 business days as the expectation, though this is not codified)
- To affected data subjects — within a "reasonable" timeframe
The notification must include the nature of the affected data, the data subjects involved, the technical and security measures used, the risks, the reasons for delay (if any), and the measures adopted in response.
Penalties¶
LGPD penalties are imposed by the ANPD:
- Warning with a corrective action deadline
- Simple fine up to 2% of revenue from the previous year (capped at R$50M per violation, ~$10M USD)
- Daily fine for ongoing violations
- Public disclosure of the violation
- Blocking or deletion of the personal data
- Suspension or prohibition of processing activities
The first significant LGPD enforcement actions occurred in 2022–2023 and have been escalating since.
Comparison Table¶
| Aspect | PIPEDA (current) | LGPD |
|---|---|---|
| Effective | 2000 (amended periodically) | September 2020 |
| Extraterritorial scope | Limited (commercial activities in Canada) | Yes (broad, similar to GDPR) |
| Legal bases for processing | Consent-centric | 10 bases including legitimate interests |
| Data subject rights | 9 (access, correction, withdrawal of consent) | 9 (similar to GDPR) |
| Breach notification timeline | "As soon as feasible" with RROSH threshold | "Reasonable" (~2 business days expected) |
| Cross-border transfer mechanism | Contract with comparable protection | Adequacy / SCC / consent / specific authorization |
| Penalties (current) | None for PIPEDA violations specifically; OPC can name and shame | Up to 2% of revenue, R$50M cap per violation |
| Penalties (pending C-27) | Up to $25M CAD or 5% of global revenue | (no change pending) |
| GDPR alignment | Less aligned (especially without C-27) | More aligned, but distinctly Brazilian |
Architect Checklist¶
- [Critical] Determine which laws apply based on data subjects' locations and the organization's commercial activities. Many international organizations are subject to GDPR + PIPEDA + LGPD + state-level US laws simultaneously.
- [Critical] Maintain a records of processing activities that satisfies the most stringent applicable framework (typically GDPR Article 30). The same records can be used for LGPD and PIPEDA.
- [Critical] Document the legal basis for each processing activity under each applicable law. The legal basis can differ between GDPR, LGPD, and PIPEDA for the same processing.
- [Critical] Implement data subject rights workflows that handle access, correction, deletion, and portability requests within the deadlines required by each law. A unified workflow is more efficient than per-law workflows.
- [Critical] Establish breach notification capability that can produce notifications within the timelines required by each law. The shortest timeline (typically GDPR 72 hours, LGPD ~2 business days) is the operational target.
- [Critical] Document cross-border transfers with the legal mechanism for each. Use SCC-equivalent contracts for GDPR + LGPD + PIPEDA transfers from EU/Canada/Brazil to other jurisdictions.
- [Recommended] Use a single privacy program that satisfies the most stringent applicable framework rather than maintaining separate compliance programs. The cost of overlap is lower than the cost of distinct programs.
- [Recommended] Appoint a Data Protection Officer (DPO) if required by GDPR; the same individual can serve as the LGPD DPO (Encarregado).
- [Recommended] Train staff on the privacy obligations with examples relevant to their role. Generic privacy training is less effective than role-specific.
- [Optional] Subscribe to ANPD and OPC announcements for regulatory updates. Both authorities publish guidance and enforcement actions periodically.
Cloud Service Mapping¶
| Privacy Obligation | AWS | Azure | GCP |
|---|---|---|---|
| Data residency | Regional services, data residency commitments | Regional services, data residency add-ons | Regional services, dual-region storage |
| Encryption at rest | KMS with customer-managed keys | Key Vault with customer-managed keys | Cloud KMS with customer-managed keys |
| Access control | IAM, IAM Identity Center | Entra ID with Conditional Access | Cloud IAM, IAP |
| Audit trail | CloudTrail, Config | Activity Log, Defender | Cloud Audit Logs, SCC |
| Data subject access | DynamoDB / RDS / S3 query patterns | SQL / Cosmos DB query patterns | BigQuery / Cloud SQL query patterns |
| Data deletion | S3 lifecycle rules, RDS delete, Glue retention | Storage lifecycle, SQL DELETE, Purview retention | Storage lifecycle, BigQuery DELETE, time travel |
| Cross-border transfer agreements | AWS Data Processing Addendum | Microsoft Data Protection Addendum | Google Cloud Data Processing Addendum |
Common Decisions (ADR Triggers)¶
- Single privacy program vs per-jurisdiction programs — single program built around the most stringent requirements is the right answer for most multi-jurisdictional organizations.
- Use GDPR as the baseline — for organizations subject to GDPR + LGPD + PIPEDA, GDPR is typically the most stringent and serves as the implementation baseline. LGPD and PIPEDA are then satisfied via the GDPR controls with minor additions.
- Data residency strategy — for highly sensitive data, store it in the jurisdiction of the data subject (EU data in EU, Canadian data in Canada, Brazilian data in Brazil). For less sensitive data, the cross-border transfer mechanisms may make multi-region storage acceptable.
- DPO appointment — required by GDPR for some organizations, by LGPD for all controllers (though enforcement is loose), and not required by PIPEDA. A single DPO can serve all three roles.
- Vendor due diligence depth — annual questionnaires for low-risk processors, formal audit reports for high-risk processors. Apply the same standard regardless of the underlying privacy regime.
Reference Links¶
- PIPEDA (Office of the Privacy Commissioner of Canada)
- Bill C-27 (Digital Charter Implementation Act)
- LGPD official text (Portuguese)
- LGPD English translation (IAPP)
- Brazilian National Data Protection Authority (ANPD)
See Also¶
compliance/gdpr.md— GDPR, the framework most commonly used as the implementation baselinecompliance/ccpa.md— California Consumer Privacy Act, the US state-level equivalentframeworks/nist-csf-2.0.md— NIST CSF as the underlying security frameworkfailures/compliance.md— compliance failure patternsgeneral/data-classification.md— data classification as the foundation for privacy controls