Canada Launches Review Of The Privacy Act: Key Issues For Consultation

On April 2, 2026 the Treasury Board launched a formal review of Canada's federal Privacy Act, the statute governing how more than 250 federal institutions handle the personal information of Canadians, accompanied by a policy paper setting out detailed reform proposals.

While the Privacy Act, which has not been substantially updated since 1983, applies to federal institutions, these proposed reforms may have significant implications for private sector entities that contract with or act as vendors to the Government of Canada. Enhanced government data protection obligations, including mandatory privacy impact assessments, breach reporting requirements, and strengthened safeguards, can result in downstream compliance obligations for third parties handling personal information on behalf of federal institutions.

This bulletin summarizes some of the government's most notable proposals alongside the reform recommendations of the Office of the Privacy Commissioner of Canada (OPC) and identifies key issues for stakeholder input during the consultation period.

The government's proposals

The Treasury Board's policy proposals are organized around six broad themes each with specific proposals:

• Enabling integrated services: Enabling federal programs to securely share and reuse personal data, including through designated official data sources, so Canadians need provide their information only once.
• Enhancing accountability and transparency: Introducing measures including mandatory privacy impact assessments and strengthened transparency obligations, including for automated decision-making.
• Advancing safeguards across the spectrum of data sensitivity: Introducing necessity tests for the collection and retention of personal information, and additional safeguards such as mandatory breach reporting.
• Modernizing the foundation for privacy and trust: Recognizing privacy as a fundamental right, incorporating overarching principles including accountability, identifying purposes, limiting retention, accuracy, safeguards, openness, and by including a right to access to one’s own personal information in the Act itself versus the current mechanism under the Access to Information Act.
• Indigenous Peoples’ access to, and protection of, their data: Modernizing terminology and empowering Indigenous governments and organizations to access and manage their citizens' data.
• Updating the compliance framework: Providing for periodic legislative reviews and equipping the Privacy Commissioner and the Federal Court with adequate enforcement powers.

The privacy commissioner's priority recommendations

In February 2026, the OPC published seven priority recommendations for Privacy Act reform:

1. An explicit necessity and proportionality requirement for collection of personal information;
2. Mandatory privacy impact assessments in high-risk situations;
3. Binding order-making powers for the Privacy Commissioner;
4. An explicit legislative requirement to safeguard personal information;
5. Mandatory breach reporting;
6. Greater discretion for the Commissioner to publicly report on government privacy issues; and
7. Discretion for the Commissioner to discontinue or decline complaints.

These priorities distil a broader reform agenda developed over two decades, including comprehensive recommendations by former Commissioners Jennifer Stoddart (2006) and Daniel Therrien (2016).

Key issues for consultation

1. Privacy as a fundamental right: Aspirational or operative?

The government proposes recognizing privacy as a fundamental right through an amended purpose clause or preamble, while noting that neither provision would create directly enforceable rights. The OPC has historically urged that rights-based language serve as an operative interpretive framework for the statute, not merely a symbolic declaration. Stakeholders should consider whether the proposed formulation is sufficient to guide judicial interpretation and institutional practice.

2. Necessity vs. necessity and proportionality

The government proposes necessity tests for collection and retention of personal data. The OPC has called for both necessity and proportionality in the past, including in 2019 under Commissioner Dufresne. A proportionality requirement would require institutions to demonstrate that privacy intrusions are not merely necessary but also proportionate to the objective pursued. Whether the government's proposals will incorporate this additional standard is a critical question.

3. Scope of order-making powers

Under the Privacy Act, the Privacy Commissioner can only make non-binding recommendations. For privacy matters, the government proposes a corrective action plan (CAP) mechanism by which, following an investigation, the Commissioner could require institutions to develop, publish, and report on implementation of a CAP, with non-compliance referable to the Federal Court.

The proposal would also give the Commissioner discretion to decline or discontinue frivolous or vexatious complaints, a power currently lacking under the Privacy Act.

The distillation of OPC powers to impose CAPs for privacy matters is tied directly to the government’s proposal to shift the governance of personal information requests currently processed under the Privacy Act into the Access to Information Act, establishing a single, harmonized access regime with one consistent process for requests, exemptions, consultations, and oversight. This amended framework allows for an adjusted order-making authority for the OPC that is not applicable to the exercise of access rights.

4. Automated decision-making: Policy directive or statute?

The government proposes transparency requirements for automated decision-making but has not clearly signalled a move beyond the existing policy-based Directive on Automated Decision-Making. The OPC has recommended statutory protections, and Commissioner Dufresne has stressed in past comments that organizations using AI "should be transparent about this use, and accountable for any AI-generated decisions about individuals."

5. Data sharing safeguards

The government frames cross-program data sharing as a service-delivery benefit. The OPC has generally cautioned that any data-sharing framework must include robust safeguards. The OPC has historically treated large-scale data matching as among the most significant privacy threats posed by modern government.

6. Breach reporting standards

Both the government and the OPC support mandatory breach reporting. Key design questions remain, including reporting thresholds, notification timelines, and record-keeping obligations. The OPC has recommended alignment with the breach-reporting framework under PIPEDA, which requires notification to affected individuals where there is a real risk of significant harm.

7. Institutional coverage

The OPC's 2016 recommendations called for extending the Act's coverage to all government institutions, including Ministers' offices and the Prime Minister's Office, and for extending access rights to foreign nationals. Commissioner Therrien argued in his 2015-16 Annual Report that "individuals should be able to access their personal information and challenge its accuracy regardless of where it is within government." The government's 2026 policy paper does not appear to have taken up this recommendation directly, nor has Commissioner Dufresne under the OPC’s current list of priorities for Privacy Act reform.

8. Periodic review

The government's proposals include a five-year review of the Act, similar to the mechanism that exists for the Access to Information Act. The OPC called for this directly in 2016.

Next steps

Stakeholders including federal institutions, Indigenous partners, privacy professionals, and members of the public may submit comments on the government's policy paper through the online submission form until July 10, 2026.

Consultation meetings with federal institutions and subject matter experts will be held over the coming months. Whether this review produces transformative reform or results in more incremental change will depend in significant part on the quality and breadth of stakeholder engagement during this consultation window. A consolidated findings report is expected in late 2026 or early 2027.

Private sector entities that contract with or provide services to federal institutions should monitor these developments closely and consider engaging the consultation process, as new requirements imposed on government institutions may translate into contractual or regulatory obligations for vendors and other third parties who engage with the government. Organizations with government contracts may wish to assess their current data handling practices and privacy compliance frameworks in anticipation of potential changes.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.