CanucktAI
Glossary

Canadian privacy & AI, in plain English

Short, reliable definitions of the compliance terms Canadian businesses actually run into.

Laws & regulators

Alberta PIPA

Alberta PIPA is Alberta’s private-sector privacy law, which regulates how provincial organizations handle personal information and was the first Canadian law to require mandatory breach notification.

BC PIPA

BC PIPA is British Columbia’s private-sector privacy law, which governs how organizations in the province collect, use, and disclose personal information and is recognized as substantially similar to PIPEDA.

Bill C-27 (Digital Charter Implementation Act)

Bill C-27 was the federal Digital Charter Implementation Act, a package containing the CPPA, a data-protection tribunal, and Canada’s first AI law (AIDA); it died at the January 2025 prorogation.

CASL

CASL is Canada’s Anti-Spam Legislation, which requires consent, sender identification, and an unsubscribe mechanism before sending commercial electronic messages, with penalties of up to $10 million.

Commission d’accès à l’information (CAI)

The CAI is Quebec’s privacy and access-to-information regulator, which enforces Law 25 and can impose significant administrative and penal penalties on organizations.

CPPA (Consumer Privacy Protection Act)

The CPPA was the proposed federal law meant to replace PIPEDA’s private-sector rules with stronger consent, individual rights, and order-making and fining powers; it died with Bill C-27 in January 2025.

FINTRAC

FINTRAC is Canada’s financial-intelligence and anti-money-laundering regulator, whose record-keeping and reporting rules explain why some personal records must be retained — and must not be anonymized or deleted.

GDPR

The GDPR is the European Union’s data-protection law, which can apply to Canadian businesses that offer goods or services to, or monitor, people in the EU, with fines up to €20 million or 4% of global turnover.

Office of the Privacy Commissioner of Canada (OPC)

The OPC is Canada’s federal privacy regulator, which oversees PIPEDA and the Privacy Act, investigates complaints, and publishes guidance for businesses and government institutions.

PHIPA

PHIPA is Ontario’s health-privacy law, which sets the rules that hospitals, clinics, and other health information custodians must follow when collecting, using, and disclosing personal health information.

PIPEDA

PIPEDA is Canada’s federal private-sector privacy law, which governs how businesses collect, use, and disclose personal information in the course of commercial activity.

Quebec Law 25

Law 25 is Quebec’s modernized private-sector privacy law, which imposes strict consent, transparency, and governance obligations and penalties of up to $25 million or 4% of worldwide turnover.

Privacy concepts

Anonymization

Anonymization is the irreversible transformation of data so that no individual can ever be re-identified — a higher bar than de-identification that takes the data outside privacy law.

Consent

Consent is an individual’s meaningful agreement to the collection, use, or disclosure of their personal information — and under Canadian law it must be informed and, for sensitive data, express.

Cross-border data transfer

A cross-border data transfer is any movement of personal information outside the jurisdiction where it was collected — which, in Quebec, triggers a mandatory assessment before the data leaves.

Data residency

Data residency refers to the physical or geographic location where personal data is stored and processed — a growing priority for Canadian organizations that want their data kept in Canada.

De-identification

De-identification is the process of removing or masking direct identifiers so data no longer directly names a person, while accepting that re-identification may still be possible.

Personal information

Personal information is any information about an identifiable individual — anything that, alone or combined with other data, could identify a specific person.

PII (personally identifiable information)

PII (personally identifiable information) is any data that can identify a specific person — a term borrowed from U.S. usage that maps closely to Canada’s “personal information.”

Privacy breach notification

Privacy breach notification is the legal duty to report a security incident involving personal information to regulators and affected individuals when it poses a real risk of significant harm.

Privacy by design

Privacy by design is the practice of building data protection into products and processes from the very start, rather than bolting it on afterward.

Privacy Impact Assessment (PIA)

A Privacy Impact Assessment (PIA) is a structured evaluation of how a project handles personal information and the privacy risks it creates — now a legal requirement in Quebec for high-risk initiatives.

Records of Processing Activities (ROPA)

Records of Processing Activities (ROPA) are an organization’s inventory of what personal information it collects, why, where it lives, and who it is shared with.

Social Insurance Number (SIN)

A Social Insurance Number (SIN) is the nine-digit federal identifier Canadians use for work and government benefits — one of the most sensitive pieces of personal information an organization can hold.

AI governance

AI governance

AI governance is the set of policies, roles, controls, and oversight an organization uses to develop and deploy artificial intelligence responsibly, safely, and in line with the law.

AI system inventory

An AI system inventory (or AI registry) is a maintained record of every AI system an organization builds, buys, or uses — the foundational artifact that makes AI governance, risk assessment, and compliance possible.

AIDA (Artificial Intelligence and Data Act)

AIDA was Canada’s proposed Artificial Intelligence and Data Act, introduced within Bill C-27 — but it died when Parliament was prorogued in January 2025 and is not law.

Algorithmic Impact Assessment (AIA)

Canada’s Algorithmic Impact Assessment is a mandatory questionnaire tool that federal government institutions must complete to measure the impact of an automated decision system, under the Treasury Board’s Directive on Automated Decision-Making.

EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive AI law, using a risk-based approach and applying to any organization — including Canadian exporters — whose AI systems are placed on the market or used in the EU.

Fundamental Rights Impact Assessment (FRIA)

A Fundamental Rights Impact Assessment is an evaluation that certain deployers of high-risk AI systems must carry out under the EU AI Act to identify and mitigate the system’s impact on people’s fundamental rights before putting it into use.

General-purpose AI (GPAI) / foundation models

General-purpose AI (GPAI), also called a foundation model, is an AI model trained on broad data that can be adapted to many downstream tasks — and under the EU AI Act, its providers carry specific transparency and documentation obligations.

High-risk AI system

A high-risk AI system is one that, under the EU AI Act, can significantly affect people’s health, safety, or fundamental rights — such as AI used in hiring, credit, education, or critical infrastructure — and therefore faces the law’s strictest obligations.

ISO/IEC 42001

ISO/IEC 42001:2023 is the world’s first certifiable AI management system standard, giving organizations an auditable framework to govern the development and use of artificial intelligence.

NIST AI Risk Management Framework

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary U.S. framework that helps organizations identify, assess, and manage AI risks through four functions: Govern, Map, Measure, and Manage.

Shadow AI

Shadow AI is the use of AI tools by employees without the organization’s knowledge, approval, or oversight — creating hidden privacy, security, and compliance risks that governance is meant to control.

Voluntary Code of Conduct on Advanced Generative AI

Canada’s Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, launched in September 2023, is a non-binding set of commitments firms can sign to demonstrate responsible generative-AI practices ahead of any binding law.

Our own compliance

We run our own compliance programme inside Valdra — the product we sell. Our SOC 2, ISO 27001 and ISO 42001 programmes are actively in progress; we do not claim certifications we do not yet hold.

Valdra compliance badge — click to verify
  • PIPEDA
  • Law 25 (Quebec)
  • CASL
  • Data hosted in Canada 🇨🇦
  • AI governance
View our Trust Centre

Self-declared, not audited by a third party. Click the badge to verify it is genuine and see what it covers.

Canadian Privacy & AI Compliance Glossary | Canuckt AI