The Personal Information Protection and Electronic Documents Act,
known as PIPEDA, has been Canada's private sector privacy law since 2001.
It's currently the law that governs how businesses collect, use and
disclose your personal information. It's the law that made the Privacy
Commissioner of Canada the federal privacy watchdog. And it's the law that most
privacy professionals in Canada have built their careers around.
But now, the federal government has tabled Bill C-36, which would
repeal and replace the privacy portions of PIPEDA with an entirely new
framework.
And if you've been following federal privacy reform over the last
few years, a lot of this will look familiar.
We've seen Bill C-11, the Digital Charter Implementation Act, 2020.
We've seen Bill C-27, Digital Charter Implementation Act, 2022.
Both died on the Order Paper.
Now we have Bill C-36 called the Protecting Privacy and ConsumerData Act.
But this bill does something that neither of those previous bills
did.
It completely sidelines the existing Privacy Commissioner of Canada
and hands enforcement to an entirely new regulatory structure that seems to be
part of what I expect will be the super-mega digital regulator for Canada.
In this episode, I'm going to walk you through what Bill C-36 does,
what's new, what's familiar, what businesses need to know, and what I think are
some of the most significant changes.
On June 15, 2026, the Minister of Artificial Intelligence and
Digital Innovation tabled Bill C-36, titled An Act to enact the Protecting
Privacy and Consumer Data Act, to amend the Personal Information Protection and
Electronic Documents Act and to make amendments to other Acts.
The centrepiece of the bill is a new law called the Protecting
Privacy and Consumer Data Act, or PPCDA.
If passed, it would replace Part 1 of PIPEDA, which has governed
private-sector privacy in Canada since 2001.
I don’t really like the name of the new law. On one hand, the law
says that privacy is a fundamental right, but in the title it’s about people as
“consumers”. If we have a fundamental right, it’s because we’re humans, not
just consumers. I think it puts it all in a bad frame.
But in any event, let's dig in.
Déjà Vu All Over Again
If you've read Bill C-27, much of Bill C-36 will look very familiar.
In substance, it takes PIPEDA and turns the obligations up to eleven.
Many of the concepts are carried forward:
- accountability obligations;
- privacy management programs;
- enhanced consent requirements;
- legitimate interest exceptions;
- rights to disposal of personal
information;
- data mobility provisions;
- administrative monetary penalties;
and
- a much stronger enforcement
framework.
What's missing, however, is the artificial intelligence legislation
that was bundled into Bill C-27. It’s not really missing since it didn’t belong
in Bill C-27 in the first place.
This new bill focuses exclusively on private-sector privacy law.
The Biggest Surprise — Goodbye Privacy Commissioner?
In my view, the most significant structural change is not about
consent, de-identification or penalties. We expected that.
It's about who oversees and enforces the law.
Historically, privacy complaints under PIPEDA have been investigated
by the Privacy Commissioner of Canada.
The Commissioner acts primarily as an ombudsman. Complaints are
investigated. Findings are issued. Organizations are encouraged to comply. And
they can be named and shamed. And if things don't get resolved, the matter may
end up in Federal Court, where orders can be issued and damages can be awarded.
Bill C-27 from 2002 would have given the Privacy Commissioner the
power to investigate complaints and recommend orders and penalties. Those
orders and penalties had to be levied by a proposed newly created, separate
body called the Personal Information and Data Protection Tribunal.
Bill C-36 replaces the current PIPEDA model entirely by sidelining
the current Commissioner.
Instead, oversight would be handled through the Digital Safety
and Data Protection Commission of Canada, a new institution that originated
in the government's online harms framework. (I covered that in my last episode.) The existing Privacy Commissioner would no longer be the regulator
under the statute. Instead, there would be a new Privacy and Consumer Data
Commissioner operating within this new commission structure.
This is a big shift.
For nearly twenty-five years, Canadian privacy regulation has been
centred on an independent officer of Parliament.
Now, enforcement would be embedded within a broader administrative
commission.
Whether that's a good thing or a bad thing will likely become one of
the major debates surrounding the bill. The new Commissioner will be less
independent and more beholden to the government. At this point, I’m not
convinced that it’s a good idea – but I look forward to a lot of discussion
about it over the summer.
A New Structure for the Law
Bill C-36 looks very different from PIPEDA.
PIPEDA has always been a bit unusual. Rather than spelling out all
of the rules directly in legislation, it incorporated the Canadian Standards
Association Model Code for the Protection of Personal Information.
The law largely worked by saying: follow the Code, subject to these
exceptions. Bill C-36 takes a different approach.
Much like the privacy statutes in Alberta and British Columbia, the
principles are expressed directly in legislative language. For privacy
professionals who work with Canadian federal and provincial laws, this means
the substance will often feel familiar.
And because the essence of the principles are embedded directly in
statute using traditional statutory language, I expect its interpretation will
become more rigid and more legalistic than the current PIPEDA framework.
Expanded Scope?
The government seems to be expanding the scope of the private sector
privacy law. One new provision, compared to PIPEDA, is particularly notable.
PIPEDA applies to personal information collected, used or disclosed in the
course of commercial activities, as well as federally regulated workplaces.
That basic framework remains. Bill C-36 will apply to personal
information collected, used or disclosed in the course of commercial
activities, as well as federally regulated workplaces.
But Bill C-36 includes a provision that specifically says that the
legislation applies to personal information collected, used or disclosed
interprovincially or internationally.
For greater certainty
(2) For greater certainty, this Act applies in respect of personal information
(a) that is collected, used or disclosed interprovincially or internationally by an organization; or
(b) that is collected, used or disclosed by an organization within a province, to the extent that the organization is not exempt from the application of this Act under an order made under paragraph 139(2)(b).
It’s not limited to data that crosses borders in connection with any
commercial activity. Does that mean it applies to data that a Nova Scotia-based
non-profit stores in Ontario? Or what about an Alberta company that is subject
to Alberta privacy law, which collects information from a British Columbian
resident, which is protected by that province’s privacy law. Does the federal
law apply once the data crosses the Rocky Mountains?
I think this was probably put here to expand our European GDPR
adequacy, so that the new law will explicitly apply to all data transferred
from Europe to Canada for processing. But I suspect lawyers and regulators will
spend a fair amount of time debating exactly how far this provision reaches.
Bill C-36 explicitly addresses Anonymous vs. De-Identified
Data
Another major feature of the bill is its treatment of anonymous and
de-identified information.
To date, Canadian privacy law has not directly addressed this
concept.
Bill C-36 formally distinguishes among personal information,
de-identified personal information and anonymized information.
anonymize means to irreversibly and permanently modify personal information to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means. (anonymiser)
For greater certainty
6(5) For greater certainty, this Act does not apply in respect of anonymized information.
de-identify means to modify personal information so that an individual cannot be directly identified from it, although a risk of the individual being identified remains. (dépersonnaliser)
De-identified information is different.
The information has been modified so an individual cannot be
directly identified, but some risk of re-identification remains. That
information continues to be regulated under the Act.
This distinction is important because organizations increasingly
rely on de-identification techniques for analytics, research and product
development.
The bill provides a much more detailed framework than PIPEDA
currently does.
Under Bill C-36, Privacy Management Programs
Become Mandatory
Essentially, Principle 1 of PIPEDA required all regulated
organizations to have a privacy management program. Bill C-36 makes that
expectation explicit.
Organizations must establish and maintain a documented privacy
management program. They must also provide supporting documentation to the
regulator upon request.
In practical terms, this means:
- policies;
- procedures;
- training materials;
- risk management documentation; and
- governance records
All of these become much more important.
For organizations that have treated privacy compliance as an
informal exercise, that approach will no longer be sufficient. And very
importantly, every organization has to provide a copy of their privacy
management program to the regulator upon request.
Consent Gets More Detailed
The bill retains consent as the principal basis under which personal
information can be collected, used or disclosed.
But the Bill significantly expands what organizations must
communicate to the individual in order for consent to be valid.
Organizations will need to explain:
(a) the purposes for the
collection, use or disclosure of the personal information;
(b) the manner in which
the personal information is to be collected, used or disclosed;
(c) any reasonably
foreseeable consequences of the collection, use or disclosure of the personal
information;
(d) the specific type of
personal information that is to be collected, used or disclosed; and
(e) the names of any
third parties or types of third parties to which the organization may disclose
the personal information.
And these explanations must be provided in plain language.
That’s a lot of information. Imagine trying to convey that at a
retail point of sale. Under PIPEDA, conveying the purposes of the collection
was done outside of a privacy policy or privacy statement, but this is the sort
of information that should be put in a privacy statement. And this is all while
folks are saying that privacy policies are too long and unreadable. I think it
should be sufficient to communicate the purposes, clearly and understandably,
and leave the rest for the privacy policy if the individual has any
questions.
Legitimate Interests and Business Activities
When it comes to consent, one hand giveth and the other taketh
away.
One of the most controversial features of Bill C-27 from 2022 was
the introduction of new exceptions to consent. Those provisions largely survive
under the proposed Protecting Privacy and Consumer Data Act.
Under Bill C-36, organizations can collect and use personal
information without consent for certain business activities where a reasonable
person would expect it, for security purposes, for safety purposes and for
other prescribed activities.
Business activities
18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of a business activity described in subsection (2) and
(a) a reasonable person would expect the collection or use for such an activity; and
(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
List of activities
(2) Subject to the regulations, the following activities are business activities for the purposes of subsection (1):
(a) an activity that is necessary to provide a product or service that the individual has requested from the organization;
(b) an activity that is necessary for the security of the organization’s information, systems or networks;
(c) an activity that is necessary for the safety of a product or service that the organization provides; and
(d) any other prescribed activity.
These exceptions cannot be used where the information is being
collected or used to influence an individual's behaviour or decisions.
The bill also includes a legitimate interest exception, which is
similar to what is found in Europe’s General Data Protection Regulation.
To rely on it, an organization must carry out a privacy impact
assessment to:
- identify possible adverse effects on
individuals;
- take measures to mitigate those
effects; and
- determine that its legitimate
interest outweighs those adverse effects.
This sounds straightforward.
In practice, it may generate substantial debate.
What is influencing an individual’s behaviour or decisions? Does
that include search rankings? What video to suggest next? An advertisement?
How do you measure adverse effects?
What counts as sufficient mitigation?
And how should competing interests be balanced?
Those questions are likely to become important very quickly.
Notably, consent can still be implied if it’s appropriate taking into account the reasonable expectations of the individual and the sensitivity. But then section 15(6) says you can’t use implied consent for any activity listed in 18(2) or 18(3).
Form of consent
(5) Consent must be expressly obtained unless, subject to subsection (6), it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.
Business activities
(6) It is not appropriate to rely on an individual’s implied consent if their personal information is collected or used for an activity described in subsection 18(2) or if it is collected, used or disclosed for an activity described in subsection 18(3).
For example, I tap my credit card to pay for a burger. My consent to
processing that transaction should be implied without the cashier reciting
everything listed in section 15 (like the reasonably foreseeable consequences
of the collection, use or disclosure of my credit card number), but because
it’s necessary for me to pay for my burger it can’t be implied.
That’s just dumb. That can’t be right. At a technical briefing on
the bill, I asked officials with the Industry Department whether this was
intentional or bad drafting and they couldn’t explain it.
Bill C-36 includes a “Right to Disposal”
PIPEDA has long allowed individuals to withdraw consent in many
circumstances.
Bill C-36 goes further or is at least more explicit. Under PIPEDA,
an individual can withdraw consent. Since the organization can only retain
personal information for as long as is reasonably necessary for the purposes
for which consent was obtained, it was pretty clear – but implied – that the
data should be deleted.
Under Bill C-36, individuals can explicitly require organizations to
dispose of their personal information.
Importantly, disposal includes both deletion and anonymization.
This resembles the growing international trend toward stronger
deletion rights, although it stops short of adopting a full European-style
"right to be forgotten."
The Industry Minister, when speaking about this Bill, suggested this
will allow people to have deepfakes deleted. I’m not sure that’s the case
across the board.
Cross-Border Transfers and Privacy Impact Assessments
Another area of note is the treatment of international transfers.
Before personal information is disclosed or transferred outside
Canada, organizations would be required to conduct a privacy impact assessment
in a prescribed format.
This is noteworthy.
For years, Canadian law has generally allowed cross-border transfers
provided appropriate safeguards are in place. The same rules applied to
domestic transfers, as well as international ones.
Bill C-36 moves toward a more structured assessment model. Exactly
what those assessments must contain will depend on future regulations, and
notably these assessments must be provided to the Commission on request.
Enforcement Gets Serious
And now we come to what many people will consider the headline
story.
Enforcement. Lots of enforcement.
Under the bill, investigations may begin following a complaint or on
the initiative of the Privacy and Consumer Data Commissioner.
During an investigation, the Commissioner can compel records and
testimony, receive any evidence regardless of whether it complies with the
traditional rules of evidence, and enter and search any premises other than a
dwelling.
Following an investigation, the Commissioner may issue a notice of
contravention. That notice can include proposed orders and proposed penalties.
If the organization does not challenge the notice, the contravention
is deemed admitted and the proposed order and proposed penalties take effect.
If the organization disputes the notice, the matter goes before the
Commission, which functions as a tribunal and can confirm, vary or cancel the
findings. It will have to establish its rules of procedure, but notably is not
bound by any legal or technical rules of evidence but the usual principles of
fairness and natural justice apply.
Appeals can be made to the Federal Court.
This is a dramatically different model from the current PIPEDA
process.
The Penalties
But a lot of focus will be on penalties. And yes, the penalties can
be enormous.
Administrative monetary penalties can reach the greater of:
- $10 million; or
- 3% of global gross revenue.
For more serious offences prosecuted under the Act, penalties become
even larger.
An indictable offence can result in fines up to the greater of:
- $25 million; or
- 5% of global gross revenue.
There is also directors and officers liability, regardless of
whether the organization itself is hit with a penalty. For large multinational
organizations, these are numbers that will attract immediate attention from
boards of directors and senior executives.
The Private Right of Action
Bill C-36 will create a private right of action for individuals
affected by a contravention of the Act. This is extremely broad and potentially
problematic. Currently, under PIPEDA, a person who complains to the Privacy
Commissioner can then go to the Federal Court at the conclusion of the
Commissioner’s investigation to seek damages. It is a de novo process, which
means that the complainant has to satisfy the Federal Court that the
organization violated the law, that this violation harmed them and they are
entitled to damages. PIPEDA does not create any sort of broader scheme beyond
the individual complainant.
Under Bill C-36, it says that any individual who is affected by a
contravention of the act has “a cause of action against the organization for
damages for loss or injury that the individual has suffered as a result of the
contravention.” That tells me that this goes waaaay beyond the complainant
having a right to sue the organization, by anyone affected by it.
Presumably you’d have to prove to the court that you’re “affected”
by the contravention. The bill does not say whether liability is assumed or
even deemed. Does a final notice of contravention just result in a blank cheque
for anyone who can claim to be affected?
And section 132(5) says that an action can be brought in the Federal
Court or any provincial superior court. That’s a recipe for overwhelming our
courts.
Let’s use a recent privacy commissioner report of findings as an
example of what could happen. In 2022, the federal commissioner along with his
counterparts in BC, Alberta and Quebec, issued a report of findings that the
Tim Horton’s coffee and donut chain violated the relevant privacy laws in the
way that the company’s mobile app collected location information. The report
found the App had over 8.6 million Canadian downloads, and as of July 2020,
there were 1,602,343 active App Users.
If that were to happen after Bill C-36 comes into effect and the
Commissioner found a “contravention”, it sounds like 1.6 million people would
each be able to sue Tim Hortons in their local court. Not that that many people
would do so, but even a small portion of them doing so would overwhelm our
legal system. And in the case of the Tim Hortons app, the regulators found that
the company didn’t even use the location information. So you could have a huge
number of legal claims, where it really was a “no harm, no foul” situation. I
do note that there were a few class actions filed over the Tim Hortons app
location tracking, which resulted in a settlement worth about 16 million
dollars paid in Tim Hortons gift cards.
In my view, if they’re going to create a private right of action,
they should all be heard in the Federal Court of Canada and there should be a
clear process to prevent a multiplicity of proceedings.
The provincial superior courts are already overwhelmed. That’s where
serious criminal trials take place, and already charges are being thrown out
because of delays in getting to trial. I think it’s irresponsible to send an
enormous number of claims into those courts, at the provinces’ expense and at
the risk to the overall administration of justice. If the federal government is
going to create a rush to the courthouses, it should be in the court that the
federal government pays for.
What’s missing
I can’t help but notice something missing from the new Protecting
Privacy and Consumer Data Act.
While the government’s agenda is so clearly in favour of the
adoption of artificial intelligence across Canada, there’s nothing in the bill
that expressly permits or authorizes the collection of publicly available
personal information from the internet for training AI models. Given the
government’s artificial intelligence agenda, I am surprised that it is not
there.
But like so many recent bills, a huge amount is left to the
regulations.
Conclusion
So, in conclusion, where does this leave us?
Bill C-36 is not a minor update to PIPEDA. It is a wholesale
replacement of Canada's federal private-sector privacy framework.
It introduces stronger enforcement. It creates significant
penalties. It formalizes privacy management programs.
It expands rights relating to disposal of personal information.
And perhaps most significantly, it replaces the traditional Privacy
Commissioner model with an entirely new regulatory structure.
I’m still thinking this through, and I’m sure I’ll have more to say
about this new Digital Safety and Data Protection Commission of Canada, which
is taking on the full “online harms” regulation from Bill C-34’s “Safe Social
Media Act”, and now privacy under this new Bill C-36. A specialized tribunal
makes some sense, but the Data Protection Commissioner should not be a member
of the tribunal hearing review of his own investigations. In any event, it still
puts the judge, jury, prosecutor and executioner in too cozy a
relationship. The statute should clearly build in the guardrails and the
firewalls to keep the investigation function detached from the Commission as a
tribunal.
Anyways, I’m still thinking this through and will certainly have
thoughts to come. In the meantime, both Professor Geist and Professor Scassa,
who think deeply about these issues, have some preliminary thoughts online on
their blogs and substacks. You should check them out.
So the bill has only just been introduced and Parliament rose
shortly afterward for the summer break. We don't yet know whether the
government will fast-track it, whether it will undergo substantial amendments,
or whether it will suffer the same fate as Bills C-11 and C-27. I expect that
in terms of government priority, Online Harms will be higher up the list than
privacy law reform.
But one thing is certain.
If enacted, Bill C-36 would represent the most significant change to
Canadian private-sector privacy law since PIPEDA itself came into force.
