The proposed new privacy law includes order-making powers, penalties but completely sidelines the existing Privacy Commissioner
On June 15, 2026, the Minister of Artificial Intelligence and Digital Innovation Even Solomon tabled in the House of Commons Bill C-36, called “An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts”. This is the long-awaited privacy bill that is slated to replace the Personal Information Protection and Electronic Documents Act (PIPEDA), which has regulated the collection, use and disclosure of personal information in the course of commercial activity in Canada since 2001.
The bill is similar to Bill C-27, called the “Digital Charter Implementation Act, 2022” and its predecessor, Bill C-11, which was tabled in 2019 as the “Digital Charter Implementation Act, 2019”. Both of them languished in Parliament until the federal government called the last election.
Unlike its predecessors, and PIPEDA before it, the new law does not involve the existing Privacy Commissioner of Canada. Oversight of the new law will be in the hands of the Digital Safety and Data Protection Commission of Canada, first introduced as part of the “Online Harms” bill, Bill C-34. And unlike Bill C-27, it does not incorporate comprehensive regulation of artificial intelligence.
The Bill creates a new Protecting Privacy and Consumer Data Act (PPCDA), which effectively replaces Part 1 of PIPEDA.
The PPCDA is in a completely different structure than PIPEDA. PIPEDA included a schedule taken from the Canadian Standards Association Model Code for the Protection of Personal Information and generally required regulated organizations to follow the Code. Similar to the Personal Information Protection Acts of British Columbia and Alberta, the substance of the Code has largely been translated to statutory language in the Bill itself.
The most significant difference is what many privacy advocates have been calling for: order-making powers and significant penalties. The Bill also creates a new bureaucracy called the Digital Safety and Data Protection Commission of Canada (the Commission). The existing role of the Privacy Commissioner of Canada will be taken over by a new Privacy and Consumer Data Commissioner, who is a member of the Commission.
PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity and to federally-regulated workplaces. That will not change in the PPCDA, but a new section 6(2) says that the new Act specifically applies to personal information that is collected, used or disclosed interprovincially or internationally. This provision is not expressly limited to commercial activity, so there’s an argument that could be made that it would apply to non-commercial or employee personal information that crosses borders.
The PPCDA has an interesting approach to anonymous and de-identified data. It officially creates these two categories. It defines anonymize as:
“to
irreversibly and permanently modify personal information to ensure that there
is no reasonably foreseeable risk in the circumstances that an individual can
be identified from the information, whether directly or indirectly, by any
means.”
In a number of areas, the PPCDA provides more detail about what is required to comply with general principles that are already in PIPEDA. For example, every regulated organization must have a documented privacy management program, and all the supporting documentation for an organization’s privacy management program must be provided to the Privacy and Consumer Data Commissioner on request.
With respect to consent, organizations expressly have to record and document the purposes for which any personal information is collected, used or disclosed. This was implied in the CSA Model Code, but is now expressly spelled out in the Act. The PPCDA lays out in detail what is required for consent to be valid. It requires not only identifying the purposes but also communicating in plain language how information will be collected, the reasonably foreseeable consequences of is use, what types of information and to whom the information may be disclosed. The “purpose limitation” is scaled back further, from limiting the use of personal information to the identified purposes, but under the PPCDA an organization cannot “require an individual to consent to the collection, use or disclosure of their personal information beyond what is necessary to provide the product or service.”
One significant change compared to is the circumstances under which an organization can collect and use personal information without consent. Section 18 of the PPCDA allows collection and use without consent for certain business activities, where it would reasonably be expected to provide the service, for security purposes, for safety or other prescribed activities. Notably, this exception cannot be used where the personal information is to be collected or used to influence the individual’s behaviour or decisions. There is also a “legitimate interest” exception, which requires an organization to document any possible adverse effects on the individual, mitigate them and finally weigh whether the legitimate interest outweighs any adverse effects. It’s unclear how “adverse effects” would be measured.
Like PIPEDA, an individual can withdraw consent subject to similar limitations that were in PIPEDA. But what’s changed is that an individual can require that their information be disposed of. Notably, disposal includes deletion and rendering it anonymous.
At a time when “digital sovereignty” is a common buzzword, the new Act will require privacy impact assessments (in a to be prescribed format) prior to disclosing or transferring data outside of Canada.
The most notable changes are with respect to oversight and enforcement. The Privacy and Consumer Data Commissioner is not an ombudsman with a focus on nudging companies to compliance and solving problems for individuals. The new Bill veers strongly towards enforcement.
As with PIPEDA, enforcement starts with a complaint by an individual or the Privacy and Consumer Data Commissioner can initiate it on their own accord. After the investigation, the Privacy and Consumer Data Commissioner can issue a notice of contravention, which can include proposed penalties or proposed orders. If the organization does not contest the notice of contravention, they are deemed to have contravened the Act and the proposed penalties and orders, if any, come into effect.
An organization can dispute a notice of contravention before the new Commission, which is the tribunal for the Act. If a notice of contravention is disputed, the Commission is responsible for conducting hearings to review the Privacy and Consumer Data Commissioner’s findings. It has the authority to confirm, cancel, or vary the Commissioner's notice of contravention. It can also issue interim orders in exigent circumstances.
Appeals from the Commission can be made to the Federal Court of Canada.
Possible penalties are huge. The maximum administrative monetary penalty that the tribunal can impose in one case is the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed. The Act also provides for quasi-criminal prosecutions, which can get even higher.
The Crown prosecutor can decide whether to proceed as an indictable offence with a fine not exceeding the higher of $25,000,000 and 5% of the organization’s gross global revenue or a summary offence with a fine not exceeding the higher of $20,000,000 and 4% of the organization’s gross global revenue. If it’s a prosecution, then the usual rules of criminal procedure and fairness apply, like the presumption of innocence and proof beyond a reasonable doubt.
The Bill was tabled immediately before Parliament rises for the summer break. When Parliament resumes in September, it’s impossible to predict whether the Bill will be fast-tracked or whether it will languish like its predecessors. It is also hard to predict whether the government will be amenable to suggested amendments at the Committee stage.
(This summary was originally written for the Canadian Technology Law Association's newsletter.)
No comments:
Post a Comment