ARTICLE
22 June 2026

Ottawa Tables Long-awaited Federal Privacy Reform Legislation

GW
Gowling WLG

Contributor

Gowling WLG logo
Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Explore Firm Details
Canada's federal government has introduced Bill C-36, the Protecting Privacy and Consumer Data Act, establishing a new Digital Safety and Data Protection Commission and fundamentally reshaping the country's private-sector privacy framework.
Canada Privacy
Antoine Guilmain,Wendy Wagner,Nawal Sassi
+1 Authors
 Your Author LinkedIn Connections
Antoine Guilmain’s articles from Gowling WLG are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in Canada
  • with readers working within the Banking & Credit, Insurance and Technology industries

On June 15, 2026, the Honourable Evan Solomon, Minister of Artificial Intelligence and Digital Innovation, tabled Bill C-36, the Protecting Privacy and Consumer Data Act, in the House of Commons.

The bill represents the Government of Canada’s long-awaited and latest effort to modernize the federal private-sector privacy framework.

Minister Solomon framed this as a significant development, noting that “the moment is here” for reform, positioning privacy protection as foundational to responsible AI innovation and public trust, a core pillar of the government’s recently announced “AI for All” strategy.

Key takeaways

  • The bill establishes a new regulator: the Digital Safety and Data Protection Commission of Canada. There is no Tribunal model as proposed in C-27, and Bill C-36 contemplates the new Commissioner assuming authority over private-sector privacy regulation, displacing the Office of the Privacy Commissioner of Canada (OPC) in this regard.
  • The bill introduces a legislatively entrenched fundamental right to privacy.
  • The bill does not contain AI-specific legislation akin to the Artificial Intelligence and Data Act (AIDA) that formed Part 3 of C-27.
  • The bill enacts a new standalone statute, the Protecting Privacy and Consumer Data Act, and amends PIPEDA to become the Electronic Documents Act, stripping out its privacy provisions by repealing Part 1 of PIPEDA.

Context: Bill C-27 and the path to reform

Bill C-27 was introduced at first reading on June 16, 2022, as an omnibus digital-economy statute comprising three parts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and AIDA. Parliament was prorogued in January 2025, and the bill died on the Order Paper.

Bill C-36 signals a deliberate choice to decouple privacy reform from AI regulation by refraining from introducing AI legislation alongside private sector privacy reform, an approach that stakeholders have both anticipated and encouraged. Bill C-36 also abandons the earlier concept of a Tribunal to oversee enforcement.

Content and policy significance

The bill includes:

  • Legislative recognition of privacy as a fundamental right, serving as a foundational interpretive principle throughout the statute.
  • Significantly increased penalties for non-compliance, with enforcement through the new Commission, totalling a maximum of $10 million or 3% of gross global revenues. These penalties are introduced alongside new enforcement powers for the Commissioner, including investigation authority, administrative monetary penalties, and enhanced accountability mechanisms.
  • Children’s personal information is categorized as sensitive, with enhanced accompanying protections. This dovetails with Bill C-34 (Safe Social Media Act), which addresses platform accountability for children’s safety online, which the Commissioner will also oversee if it becomes law.
  • A right to deletion (disposal) of personal information, which Minister Solomon framed as a tool for individuals to combat deepfakes and non-consensual AI-generated content.
  • Enhanced transparency for automated decision-making, requiring organizations to disclose information about automated systems, the criteria used, and means for individuals to challenge decisions.
  • Strengthened data mobility rights enabling individuals to request transfer of their personal information to another organization.
  • Amendments to the consent framework, including re-introducing “legitimate interest” as an exception to the requirement to obtain consent for collection, use, and disclosure of personal information, as previously proposed under C-27.
  • Obligation to implement and maintain a proportionate “privacy management program” covering safeguards, complaints and access handling, staff training, policies and procedures, and to provide the components of that program to the Commission on request. Organizations must also designate one or more individuals as being responsible for compliance with the Act.

Connection to Bill C-34 (Safe Social Media Act)

Bill C-36 forms part of a broader legislative framework taking shape that includes Bill C-34, the Safe Social Media Act (first reading June 10, 2026), which proposes a Digital Safety Act to be enforced by the same Commission as established in C-36. C-34 addresses platform accountability, online harms, and children’s safety, with penalties reaching up to 5% of gross global revenue.

Together, the Protecting Privacy and Consumer Data Act and the Digital Safety Act constitute a two-pronged early legislative agenda for digital trust and data governance under a single umbrella of regulatory oversight.

What to watch

  • Enforcement architecture: The new Commission model consolidates oversight. Details on order-making power and administrative monetary penalties will be critical for compliance planning.
  • Provincial interplay: The bill preserves the “substantially similar” exemption mechanism, allowing the Governor in Council to exempt organizations subject to equivalent provincial laws (e.g., private sector privacy legislation in Quebec, Alberta, or BC).
  • AI regulation: With AIDA excluded, expect an interconnected framework of legislation regulating diverse aspects of AI development and deployment, linked to the remaining pillars of the AI for All strategy.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Antoine Guilmain
Antoine Guilmain
Photo of Wendy Wagner
Wendy Wagner
Photo of Michael Walsh
Michael Walsh
Photo of Nawal Sassi
Nawal Sassi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More