What a $150,000 OPC Investigation Looks Like — and the PII Failure That Started It

The Investigation You Didn't Plan For

Most OPC investigations don't start with a call from a regulator. They start with a complaint from an individual — a former employee, a customer, a person who received someone else's data by mistake — filed through the OPC's online complaint portal.

The OPC accepts complaints, conducts an initial triage, and determines whether to investigate. Not every complaint results in a full investigation. But when the OPC decides to investigate, the organization receives a notification that is both formally bureaucratic and immediately consequential.

The $150,000 figure in the heading isn't a fine — PIPEDA doesn't work that way. It's an estimate of what an OPC investigation actually costs an organization: legal counsel fees for responding to the investigation, internal staff time diverted from operations, remediation costs for systems and processes that need to change, and in some cases the cost of notifying individuals and providing credit monitoring. The OPC doesn't send you a bill. The bill comes from your own response.

How Investigations Get Triggered

Individual complaints. The most common trigger. A person believes their personal information was mishandled — shared without consent, retained after they requested deletion, accessed without authorization, disclosed in a breach, or collected for one purpose and used for another. They file through the OPC portal. The complaint triggers an OPC assessment, and if the OPC determines the complaint raises a potential PIPEDA violation, an investigation is opened.

Breach reports. When organizations self-report a breach that creates a real risk of significant harm, the OPC uses the report to assess the organization's compliance generally, not just the specific breach. A breach report is an opening into a broader investigation if the OPC determines the breach reflects systemic compliance failures. This is why how you report matters as much as whether you report.

OPC-initiated investigations. The OPC has authority to initiate investigations on its own motion, without a complaint. In practice, these are rare and tend to target sectors or organizations where the OPC has identified systemic concerns — large-scale data collection practices, AI systems processing personal information, or industries with documented compliance problems.

What the Investigation Process Looks Like

The initial notification from the OPC describes the complaint or the trigger, identifies the PIPEDA provisions at issue, and requests a response. That response is due within a specified timeframe — typically 30 days, sometimes extended.

The response phase is where organizations with good documentation significantly outperform organizations that are discovering their compliance gaps in real time. You're asked to describe your privacy practices relevant to the complaint, provide documentation of your consent mechanisms, your safeguards, your policies, your breach response, or whatever the specific allegation concerns. If the documentation exists and reflects actual practice, you can answer these questions relatively quickly. If you're writing policies for the first time in response to an investigation request, you're in a different situation entirely.

The OPC may ask follow-up questions, request additional documentation, or request to interview staff. In more complex investigations, the OPC may conduct an audit of your systems or practices.

The timeline from complaint to finding typically runs six months to over a year for more complex cases. During this period, the investigation is ongoing and the organization must remain responsive. Legal counsel is almost always engaged for any significant investigation — not because the OPC process is adversarial, but because the responses you provide shape the finding, and experienced privacy counsel can help you present your position accurately and effectively.

The Finding and What Follows

OPC findings fall along a spectrum. At one end: the OPC concludes the complaint is unfounded and the investigation is closed. At the other end: the OPC makes adverse findings across multiple PIPEDA principles, publishes a detailed report, and seeks undertakings from the organization to remediate.

Published adverse findings are public. The OPC's website contains a searchable database of summaries. Your organization's name may not always appear — the OPC anonymizes some findings — but the industry, the nature of the violation, and the specific practices at issue are typically described in enough detail to be recognizable to anyone who deals with your organization or your sector.

The remediation demands in adverse findings are usually specific: implement a privacy management program by a specified date, revise consent mechanisms to address identified deficiencies, implement access controls for identified systems, conduct and document staff training, report back to the OPC within a defined period on implementation progress.

Failure to comply with undertakings can result in referral to the Federal Court, which has the authority to issue compliance orders. Federal Court proceedings become public in ways that OPC findings often aren't — they're court records, accessible through PACER-equivalent Canadian court databases.

The PII Failure Pattern

Investigations that result in the most costly remediation — in time, money, and reputational exposure — tend to start with a specific type of PII failure: personal information leaving the organization in a way that was entirely preventable with basic controls.

The patterns: a SIN spreadsheet emailed externally that wasn't supposed to leave the building. A database backup uploaded to a misconfigured cloud storage bucket, publicly accessible for months before anyone noticed. A departing employee exporting a customer list to a personal device. A medical record faxed to the wrong clinic because someone transposed two digits.

What these have in common: the personal information was in the organization's possession legitimately. The failure wasn't in whether they had it — it was in how they protected it. No encryption on the email attachment. No access controls on the cloud storage. No technical barriers to data exfiltration. No process for verifying fax numbers before transmission.

Each of these failures is detectable and preventable with controls that aren't expensive or complex. Automated detection of SINs and sensitive identifiers in outbound communications. Access logging that would have flagged the bulk export. Cloud storage configurations that require explicit public access grants rather than defaulting to open. Fax confirmation workflows.

The organizations that make these investments before an investigation find them to be inexpensive insurance. The organizations that make them in response to an investigation find them to be expensive remediation — with a public finding and a compliance deadline attached.

The cost of prevention is always lower than the cost of response. The challenge is that prevention requires anticipating a problem that hasn't happened yet, while response is triggered by a crisis that's already real. Most organizations are better at responding to crises than preventing them. The OPC's investigation and findings process is, in some sense, the mechanism that converts PII failure from a hypothetical into a documented, public, remediation-required reality.