Canada's proposed new privacy law: Bill C-36, the Protecting Privacy and Consumer Data Act

The Personal Information Protection and Electronic Documents Act, known as PIPEDA, has been Canada's private sector privacy law since 2001.

It's currently the law that governs how businesses collect, use and disclose your personal information. It's the law that made the Privacy Commissioner of Canada the federal privacy watchdog. And it's the law that most privacy professionals in Canada have built their careers around.

But now, the federal government has tabled Bill C-36, which would repeal and replace the privacy portions of PIPEDA with an entirely new framework.

And if you've been following federal privacy reform over the last few years, a lot of this will look familiar.

We've seen Bill C-11, the Digital Charter Implementation Act, 2020.

We've seen Bill C-27, Digital Charter Implementation Act, 2022.

Both died on the Order Paper.

Now we have Bill C-36 called the Protecting Privacy and ConsumerData Act.

But this bill does something that neither of those previous bills did.

It completely sidelines the existing Privacy Commissioner of Canada and hands enforcement to an entirely new regulatory structure that seems to be part of what I expect will be the super-mega digital regulator for Canada.

In this episode, I'm going to walk you through what Bill C-36 does, what's new, what's familiar, what businesses need to know, and what I think are some of the most significant changes.

On June 15, 2026, the Minister of Artificial Intelligence and Digital Innovation tabled Bill C-36, titled An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts.

The centrepiece of the bill is a new law called the Protecting Privacy and Consumer Data Act, or PPCDA.

If passed, it would replace Part 1 of PIPEDA, which has governed private-sector privacy in Canada since 2001.

I don’t really like the name of the new law. On one hand, the law says that privacy is a fundamental right, but in the title it’s about people as “consumers”. If we have a fundamental right, it’s because we’re humans, not just consumers. I think it puts it all in a bad frame.

But in any event, let's dig in.

Déjà Vu All Over Again

If you've read Bill C-27, much of Bill C-36 will look very familiar. In substance, it takes PIPEDA and turns the obligations up to eleven. 

Many of the concepts are carried forward:

• accountability obligations;
• privacy management programs;
• enhanced consent requirements;
• legitimate interest exceptions;
• rights to disposal of personal information;
• data mobility provisions;
• administrative monetary penalties; and
• a much stronger enforcement framework.

What's missing, however, is the artificial intelligence legislation that was bundled into Bill C-27. It’s not really missing since it didn’t belong in Bill C-27 in the first place.

This new bill focuses exclusively on private-sector privacy law.

The Biggest Surprise — Goodbye Privacy Commissioner?

In my view, the most significant structural change is not about consent, de-identification or penalties. We expected that. 

It's about who oversees and enforces the law.

Historically, privacy complaints under PIPEDA have been investigated by the Privacy Commissioner of Canada.

The Commissioner acts primarily as an ombudsman. Complaints are investigated. Findings are issued. Organizations are encouraged to comply. And they can be named and shamed. And if things don't get resolved, the matter may end up in Federal Court, where orders can be issued and damages can be awarded.

Bill C-27 from 2002 would have given the Privacy Commissioner the power to investigate complaints and recommend orders and penalties. Those orders and penalties had to be levied by a proposed newly created, separate body called the Personal Information and Data Protection Tribunal.

Bill C-36 replaces the current PIPEDA model entirely by sidelining the current Commissioner.

Instead, oversight would be handled through the Digital Safety and Data Protection Commission of Canada, a new institution that originated in the government's online harms framework. (I covered that in my last episode.) The existing Privacy Commissioner would no longer be the regulator under the statute. Instead, there would be a new Privacy and Consumer Data Commissioner operating within this new commission structure.

This is a big shift.

For nearly twenty-five years, Canadian privacy regulation has been centred on an independent officer of Parliament.

Now, enforcement would be embedded within a broader administrative commission.

Whether that's a good thing or a bad thing will likely become one of the major debates surrounding the bill. The new Commissioner will be less independent and more beholden to the government. At this point, I’m not convinced that it’s a good idea – but I look forward to a lot of discussion about it over the summer.

A New Structure for the Law

Bill C-36 looks very different from PIPEDA. 

PIPEDA has always been a bit unusual. Rather than spelling out all of the rules directly in legislation, it incorporated the Canadian Standards Association Model Code for the Protection of Personal Information.

The law largely worked by saying: follow the Code, subject to these exceptions. Bill C-36 takes a different approach.

Much like the privacy statutes in Alberta and British Columbia, the principles are expressed directly in legislative language. For privacy professionals who work with Canadian federal and provincial laws, this means the substance will often feel familiar.

And because the essence of the principles are embedded directly in statute using traditional statutory language, I expect its interpretation will become more rigid and more legalistic than the current PIPEDA framework.

Expanded Scope?

The government seems to be expanding the scope of the private sector privacy law. One new provision, compared to PIPEDA, is particularly notable. PIPEDA applies to personal information collected, used or disclosed in the course of commercial activities, as well as federally regulated workplaces.

That basic framework remains. Bill C-36 will apply to personal information collected, used or disclosed in the course of commercial activities, as well as federally regulated workplaces.

But Bill C-36 includes a provision that specifically says that the legislation applies to personal information collected, used or disclosed interprovincially or internationally.

For greater certainty

(2) For greater certainty, this Act applies in respect of personal information

(a) that is collected, used or disclosed interprovincially or internationally by an organization; or

(b) that is collected, used or disclosed by an organization within a province, to the extent that the organization is not exempt from the application of this Act under an order made under paragraph 139(2)‍(b).

It’s not limited to data that crosses borders in connection with any commercial activity. Does that mean it applies to data that a Nova Scotia-based non-profit stores in Ontario? Or what about an Alberta company that is subject to Alberta privacy law, which collects information from a British Columbian resident, which is protected by that province’s privacy law. Does the federal law apply once the data crosses the Rocky Mountains?

I think this was probably put here to expand our European GDPR adequacy, so that the new law will explicitly apply to all data transferred from Europe to Canada for processing. But I suspect lawyers and regulators will spend a fair amount of time debating exactly how far this provision reaches.

Bill C-36 explicitly addresses Anonymous vs. De-Identified Data

Another major feature of the bill is its treatment of anonymous and de-identified information.

To date, Canadian privacy law has not directly addressed this concept.

Bill C-36 formally distinguishes among personal information, de-identified personal information and anonymized information.

anonymize means to irreversibly and permanently modify personal information to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means.‍ (anonymiser)

For greater certainty

6(5) For greater certainty, this Act does not apply in respect of anonymized information.

de-identify means to modify personal information so that an individual cannot be directly identified from it, although a risk of the individual being identified remains.‍ (dépersonnaliser)

Anonymous information is information that has been irreversibly and permanently modified so there is no reasonably foreseeable risk that an individual can be identified. Anonymous information falls outside the legislation altogether.

De-identified information is different.

The information has been modified so an individual cannot be directly identified, but some risk of re-identification remains. That information continues to be regulated under the Act.

This distinction is important because organizations increasingly rely on de-identification techniques for analytics, research and product development.

The bill provides a much more detailed framework than PIPEDA currently does.

Under Bill C-36, Privacy Management Programs Become Mandatory

Essentially, Principle 1 of PIPEDA required all regulated organizations to have a privacy management program. Bill C-36 makes that expectation explicit.

Organizations must establish and maintain a documented privacy management program. They must also provide supporting documentation to the regulator upon request.

In practical terms, this means:

• policies;
• procedures;
• training materials;
• risk management documentation; and
• governance records

All of these become much more important.

For organizations that have treated privacy compliance as an informal exercise, that approach will no longer be sufficient. And very importantly, every organization has to provide a copy of their privacy management program to the regulator upon request. 

Consent Gets More Detailed

The bill retains consent as the principal basis under which personal information can be collected, used or disclosed.

But the Bill significantly expands what organizations must communicate to the individual in order for consent to be valid.

Organizations will need to explain:

(a) the purposes for the collection, use or disclosure of the personal information;

(b) the manner in which the personal information is to be collected, used or disclosed;

(c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;

(d) the specific type of personal information that is to be collected, used or disclosed; and

(e) the names of any third parties or types of third parties to which the organization may disclose the personal information.

And these explanations must be provided in plain language.

That’s a lot of information. Imagine trying to convey that at a retail point of sale. Under PIPEDA, conveying the purposes of the collection was done outside of a privacy policy or privacy statement, but this is the sort of information that should be put in a privacy statement. And this is all while folks are saying that privacy policies are too long and unreadable. I think it should be sufficient to communicate the purposes, clearly and understandably, and leave the rest for the privacy policy if the individual has any questions. 

Legitimate Interests and Business Activities

When it comes to consent, one hand giveth and the other taketh away. 

One of the most controversial features of Bill C-27 from 2022 was the introduction of new exceptions to consent. Those provisions largely survive under the proposed Protecting Privacy and Consumer Data Act.

Under Bill C-36, organizations can collect and use personal information without consent for certain business activities where a reasonable person would expect it, for security purposes, for safety purposes and for other prescribed activities.

Business activities

18 (1) An organization may collect or use an individual’s personal information without their knowledge or consent if the collection or use is made for the purpose of a business activity described in subsection (2) and

(a) a reasonable person would expect the collection or use for such an activity; and

(b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.

List of activities

(2) Subject to the regulations, the following activities are business activities for the purposes of subsection (1):

(a) an activity that is necessary to provide a product or service that the individual has requested from the organization;

(b) an activity that is necessary for the security of the organization’s information, systems or networks;

(c) an activity that is necessary for the safety of a product or service that the organization provides; and

(d) any other prescribed activity.

However, there is an important limitation.

These exceptions cannot be used where the information is being collected or used to influence an individual's behaviour or decisions.

The bill also includes a legitimate interest exception, which is similar to what is found in Europe’s General Data Protection Regulation.

To rely on it, an organization must carry out a privacy impact assessment to:

1. identify possible adverse effects on individuals;
2. take measures to mitigate those effects; and
3. determine that its legitimate interest outweighs those adverse effects.

This sounds straightforward.

In practice, it may generate substantial debate.

What is influencing an individual’s behaviour or decisions? Does that include search rankings? What video to suggest next? An advertisement?

How do you measure adverse effects?

What counts as sufficient mitigation?

And how should competing interests be balanced?

Those questions are likely to become important very quickly. 

Notably, consent can still be implied if it’s appropriate taking into account the reasonable expectations of the individual and the sensitivity. But then section 15(6) says you can’t use implied consent for any activity listed in 18(2) or 18(3). 

Form of consent

(5)  Consent must be expressly obtained unless, subject to subsection (6), it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.

Business activities

(6)  It is not appropriate to rely on an individual’s implied consent if their personal information is collected or used for an activity described in subsection 18(2) or if it is collected, used or disclosed for an activity described in subsection 18(3).

That includes “an activity that is necessary to provide a product or service that the individual has requested from the organization.” Those are exactly the sorts of activities where you should be able to rely on implied consent. The wording of the statute suggests that this is excluded from possible “implied consent”. 

For example, I tap my credit card to pay for a burger. My consent to processing that transaction should be implied without the cashier reciting everything listed in section 15 (like the reasonably foreseeable consequences of the collection, use or disclosure of my credit card number), but because it’s necessary for me to pay for my burger it can’t be implied.

That’s just dumb. That can’t be right. At a technical briefing on the bill, I asked officials with the Industry Department whether this was intentional or bad drafting and they couldn’t explain it. 

Bill C-36 includes a “Right to Disposal”

PIPEDA has long allowed individuals to withdraw consent in many circumstances.

Bill C-36 goes further or is at least more explicit. Under PIPEDA, an individual can withdraw consent. Since the organization can only retain personal information for as long as is reasonably necessary for the purposes for which consent was obtained, it was pretty clear – but implied – that the data should be deleted.

Under Bill C-36, individuals can explicitly require organizations to dispose of their personal information.

Importantly, disposal includes both deletion and anonymization.

This resembles the growing international trend toward stronger deletion rights, although it stops short of adopting a full European-style "right to be forgotten."

The Industry Minister, when speaking about this Bill, suggested this will allow people to have deepfakes deleted. I’m not sure that’s the case across the board. 

Cross-Border Transfers and Privacy Impact Assessments

Another area of note is the treatment of international transfers.

Before personal information is disclosed or transferred outside Canada, organizations would be required to conduct a privacy impact assessment in a prescribed format.

This is noteworthy.

For years, Canadian law has generally allowed cross-border transfers provided appropriate safeguards are in place. The same rules applied to domestic transfers, as well as international ones.

Bill C-36 moves toward a more structured assessment model. Exactly what those assessments must contain will depend on future regulations, and notably these assessments must be provided to the Commission on request. 

Enforcement Gets Serious

And now we come to what many people will consider the headline story.

Enforcement. Lots of enforcement.

Under the bill, investigations may begin following a complaint or on the initiative of the Privacy and Consumer Data Commissioner.

During an investigation, the Commissioner can compel records and testimony, receive any evidence regardless of whether it complies with the traditional rules of evidence, and enter and search any premises other than a dwelling. 

Following an investigation, the Commissioner may issue a notice of contravention. That notice can include proposed orders and proposed penalties.

If the organization does not challenge the notice, the contravention is deemed admitted and the proposed order and proposed penalties take effect.

If the organization disputes the notice, the matter goes before the Commission, which functions as a tribunal and can confirm, vary or cancel the findings. It will have to establish its rules of procedure, but notably is not bound by any legal or technical rules of evidence but the usual principles of fairness and natural justice apply.

Appeals can be made to the Federal Court.

This is a dramatically different model from the current PIPEDA process.

The Penalties

But a lot of focus will be on penalties. And yes, the penalties can be enormous.

Administrative monetary penalties can reach the greater of:

• $10 million; or
• 3% of global gross revenue.

For more serious offences prosecuted under the Act, penalties become even larger.

An indictable offence can result in fines up to the greater of:

• $25 million; or
• 5% of global gross revenue.

There is also directors and officers liability, regardless of whether the organization itself is hit with a penalty. For large multinational organizations, these are numbers that will attract immediate attention from boards of directors and senior executives.

The Private Right of Action

Bill C-36 will create a private right of action for individuals affected by a contravention of the Act. This is extremely broad and potentially problematic. Currently, under PIPEDA, a person who complains to the Privacy Commissioner can then go to the Federal Court at the conclusion of the Commissioner’s investigation to seek damages. It is a de novo process, which means that the complainant has to satisfy the Federal Court that the organization violated the law, that this violation harmed them and they are entitled to damages. PIPEDA does not create any sort of broader scheme beyond the individual complainant. 

Under Bill C-36, it says that any individual who is affected by a contravention of the act has “a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the contravention.” That tells me that this goes waaaay beyond the complainant having a right to sue the organization, by anyone affected by it. 

Presumably you’d have to prove to the court that you’re “affected” by the contravention. The bill does not say whether liability is assumed or even deemed. Does a final notice of contravention just result in a blank cheque for anyone who can claim to be affected? 

And section 132(5) says that an action can be brought in the Federal Court or any provincial superior court. That’s a recipe for overwhelming our courts. 

Let’s use a recent privacy commissioner report of findings as an example of what could happen. In 2022, the federal commissioner along with his counterparts in BC, Alberta and Quebec, issued a report of findings that the Tim Horton’s coffee and donut chain violated the relevant privacy laws in the way that the company’s mobile app collected location information. The report found the App had over 8.6 million Canadian downloads, and as of July 2020, there were 1,602,343 active App Users. 

If that were to happen after Bill C-36 comes into effect and the Commissioner found a “contravention”, it sounds like 1.6 million people would each be able to sue Tim Hortons in their local court. Not that that many people would do so, but even a small portion of them doing so would overwhelm our legal system. And in the case of the Tim Hortons app, the regulators found that the company didn’t even use the location information. So you could have a huge number of legal claims, where it really was a “no harm, no foul” situation. I do note that there were a few class actions filed over the Tim Hortons app location tracking, which resulted in a settlement worth about 16 million dollars paid in Tim Hortons gift cards. 

In my view, if they’re going to create a private right of action, they should all be heard in the Federal Court of Canada and there should be a clear process to prevent a multiplicity of proceedings. 

The provincial superior courts are already overwhelmed. That’s where serious criminal trials take place, and already charges are being thrown out because of delays in getting to trial. I think it’s irresponsible to send an enormous number of claims into those courts, at the provinces’ expense and at the risk to the overall administration of justice. If the federal government is going to create a rush to the courthouses, it should be in the court that the federal government pays for.

What’s missing

I can’t help but notice something missing from the new Protecting Privacy and Consumer Data Act. 

While the government’s agenda is so clearly in favour of the adoption of artificial intelligence across Canada, there’s nothing in the bill that expressly permits or authorizes the collection of publicly available personal information from the internet for training AI models. Given the government’s artificial intelligence agenda, I am surprised that it is not there. 

But like so many recent bills, a huge amount is left to the regulations.

Conclusion

So, in conclusion, where does this leave us?

Bill C-36 is not a minor update to PIPEDA. It is a wholesale replacement of Canada's federal private-sector privacy framework. 

It introduces stronger enforcement. It creates significant penalties. It formalizes privacy management programs.

It expands rights relating to disposal of personal information.

And perhaps most significantly, it replaces the traditional Privacy Commissioner model with an entirely new regulatory structure.

I’m still thinking this through, and I’m sure I’ll have more to say about this new Digital Safety and Data Protection Commission of Canada, which is taking on the full “online harms” regulation from Bill C-34’s “Safe Social Media Act”, and now privacy under this new Bill C-36. A specialized tribunal makes some sense, but the Data Protection Commissioner should not be a member of the tribunal hearing review of his own investigations. In any event, it still puts the judge, jury, prosecutor and executioner in too cozy a relationship. The statute should clearly build in the guardrails and the firewalls to keep the investigation function detached from the Commission as a tribunal.

Anyways, I’m still thinking this through and will certainly have thoughts to come. In the meantime, both Professor Geist and Professor Scassa, who think deeply about these issues, have some preliminary thoughts online on their blogs and substacks. You should check them out. 

So the bill has only just been introduced and Parliament rose shortly afterward for the summer break. We don't yet know whether the government will fast-track it, whether it will undergo substantial amendments, or whether it will suffer the same fate as Bills C-11 and C-27. I expect that in terms of government priority, Online Harms will be higher up the list than privacy law reform. 

But one thing is certain.

If enacted, Bill C-36 would represent the most significant change to Canadian private-sector privacy law since PIPEDA itself came into force.