ARTICLE
1 July 2026

Bill C-36: Rewriting The Rules For Canadian Private Sector Privacy

DW
Davies Ward Phillips & Vineberg

Contributor

Davies is a law firm focused on high-stakes matters. Committed to achieving superior outcomes for our clients, we are consistently at the heart of their most complex deals and cases. With offices in Toronto, Montréal and New York, our capabilities extend seamlessly to every continent. Visit us at www.dwpv.com.
Canada's proposed Privacy and Consumer Data Act introduces sweeping changes to private sector privacy regulation, including a new enforcement body with unprecedented penalty powers, mandatory cross-border transfer assessments, and enhanced protections for children's data. Organizations operating in Canada face a fundamental shift from PIPEDA's principles-based approach to a prescriptive compliance regime with significant financial and legal consequences.
Canada Privacy
Alexander Max Jarvie’s articles from Davies Ward Phillips & Vineberg are most popular:
  • with Inhouse Counsel
  • in European Union
  • in European Union
  • with readers working within the Business & Consumer Services and Law Firm industries

Introduction

On June 15, 2026, Canada’s Minister of Artificial Intelligence and Digital Innovation introduced Bill C-36, An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (“Bill C-36”). Bill C-36 represents the federal government’s third attempt at reforming Canada’s private sector privacy regime.

Bill C-36 comes just a few days after the introduction of Bill C-34, An Act to enact the Digital Safety Act and the Digital Safety Commission of Canada Act and to make consequential amendments to other Acts, which seeks to regulate social media, chatbot and online services. Both bills were prefigured in Canada’s national artificial intelligence strategy released on June 4, 2026 and form key parts of this new policy framework.

Bill C-36 would repeal Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and replace it with a new statute: the Protecting Privacy and Consumer Data Act (PPCDA). PIPEDA’s electronic documents provisions would be retained under the renamed Electronic Documents Act.

Bill C-36 must still undergo the full legislative process before becoming law. However, given the current majority government’s stated commitment to this legislation, the likelihood of passage in some form is high.

Much of PPCDA’s substance will be familiar to organizations that tracked Bill C-27’s Consumer Privacy Protection Act (CPPA); certain core features of that earlier bill have been brought forward, either intact or with modifications. In this bulletin, we discuss selected features of the proposed PPCDA that are salient for businesses, comparing and contrasting with PIPEDA, Bill C-27 and Québec’s Law 25 where particularly relevant.

Key Takeaways

  • A new regulator replaces the Office of the Privacy Commissioner of Canada (OPC) for the private sector. The PPCDA would empower the newly created Digital Safety and Data Protection Commission of Canada (Commission) to enforce the PPCDA.
  • New enforcement powers. The Commission would be empowered to impose administrative monetary penalties (AMPs) of up to the greater of C$10 million and 3% of an organization’s gross global revenue for the preceding year, a dramatic departure from PIPEDA’s ombuds model and from Bill C-27’s separate tribunal approach. In addition, fines for offences under the PPCDA could reach the greater of C$25 million and 5% of gross global revenue.
  • Transfer impact assessments. Organizations would be obliged to conduct privacy impact assessments and mitigate privacy risks before transferring personal information outside Canada. This is a significant new obligation for any business needing to send personal information outside Canada, including to service providers and affiliates.
  • Heightened protection for children’s data. Children’s personal information is expressly described as sensitive, entailing more stringent requirements for collection and handling.
  • A right to deletion. The PPCDA would provide a right for an individual to request that an organization dispose of that individual’s personal information. In fulfilling such a request, the organization would also be required to notify any service provider to which it has transferred the information and ensure that the service provider disposes of the information.
  • Artificial Intelligence obligations. Transparency requirements for the use of automated decision systems introduced in Bill C-27 have reappeared, but with an additional requirement that echoes the changes introduced in Québec’s Law 25: an organization must provide an individual with an opportunity to make written representations to an employee of the organization who is able to review the automated prediction, recommendation or decision that was made about them.
  • Privacy as a fundamental right. Privacy is described as a “fundamental right” of individuals in the purpose statement, shaping how the statute’s balancing provisions will be interpreted.

Major Features for Businesses to Watch

The Digital Safety and Data Protection Commission

Bill C-36 removes private sector privacy jurisdiction from the OPC and transfers it to the Commission. The Commission will administer both the PPCDA and the Digital Safety Act proposed under Bill C-34, overseen by a five-member body with a designated Privacy and Consumer Data Commissioner and a Privacy and Consumer Data Division (Division), with the Division composed of the Commissioner and at least one other member of the Commission.

Unlike PIPEDA’s regime, under which the OPC investigated complaints and could make recommendations and publish findings, the Commission can issue compliance orders and impose administrative monetary penalties directly. In addition, rather than being an agent of Parliament in the manner of the OPC, the members of the new Commission would be appointed by the Governor in Council and the Commissioner would be appointed by Cabinet. This is a significant overhaul that, coupled with the Commission’s broader mandate to oversee online safety and AI chatbots under Bill C-34, would likely lead to a more interventionist regulatory culture.

Penalties, Fines and the Private Right of Action

Under the PPCDA, the Commission would have the power to impose AMPs of up to the greater of C$10 million and 3% of an organization’s gross global revenue for the preceding year. These penalties would align the federal private sector framework with the changes introduced into Québec law under Law 25, the European Union’s General Data Protection Regulation (GDPR) and modernized privacy laws in other jurisdictions.

In addition, fines for offences under the PPCDA could reach the greater of C$25 million and 5% of gross global revenue. While these headline figures are substantial, the PPCDA reserves offence liability for a relatively narrow category of conduct, generally involving knowing non-compliance with key obligations relating to security breach reporting and record-keeping, obstruction of regulatory processes, retaliation against whistleblowers or failure to comply with regulatory orders. Most privacy compliance failures would instead be addressed through the AMP regime.

The PPCDA would establish a due diligence defence, preventing the imposition of an AMP where an organization establishes that it exercised due diligence to prevent the contravention. Evidence of due diligence that falls short of establishing a complete defence would be considered when determining the amount of an AMP. In this context – and given that the express purpose of AMPs is to promote compliance with the PPCDA, not to punish – if organizations can demonstrate their due diligence, that would be a key factor. The PPCDA also contemplates a safe harbour for organizations that establish compliance with a “certification program” approved by the Commission. The details of any such certification programs would be prescribed through future regulations and approval processes; no approved certification programs currently exist.

The PPCDA would also create a private right of action allowing individuals to seek damages following specified final findings of contravention, entry into certain compliance agreements or final conviction for an offence under the PPCDA, subject to a two-year limitation period. Claims could be pursued in either Federal Court or the superior court of a province and would be in addition to existing causes of action under other federal and provincial statutes and at common law.

Importantly, unlike under PIPEDA, the right of action for damages under the PPCDA would extend to any individual who suffered loss or injury as a result of the contravention or offence, whether or not that individual initiated the regulatory complaint. The private right of action would therefore be available to a potentially broad class of affected individuals once the statutory preconditions have been satisfied. Combined with the PPCDA’s more detailed and prescriptive substantive obligations and enhanced enforcement framework, this is likely to meaningfully increase the risk of follow-on class actions, subject to the ability of plaintiffs to demonstrate resulting damages. Organizations found to have contravened the PPCDA could therefore face not only significant AMPs (or, in some cases, fines), but also substantial civil liability arising from the same underlying conduct.

A More Prescriptive Approach to Consent

The governing framework for collecting, using or disclosing personal information remains consent-based with exceptions, but the PPCDA makes the requirements for valid consent more prescriptive than PIPEDA’s principles-based approach.

Organizations would be required to provide concerned individuals with plain-language disclosure of the purposes for which personal information is being collected, including the manner of processing, reasonably foreseeable consequences of processing, the specific types of personal information being processed, and information about potential third-party recipients of such information.

Although implied consent is permitted when appropriate, given the sensitivity of the personal information involved and the concerned individual’s reasonable expectations, organizations would generally be required to obtain express consent. Organizations would also be prohibited from conditioning products or services on consent beyond what is necessary, even if the concerned individual consents. Likewise, consent obtained through deceptive or misleading practices would be invalid.

Consent Exceptions

In addition to consent exceptions carried over from PIPEDA, the PPCDA would introduce new exceptions, including for the following:

  • specified business activities, such as to provide a product or service that the individual has requested or for the security of the organization’s information, systems or networks, provided that a reasonable person would expect the collection or use for such an activity and the information is not used to influence behaviour or decisions;
  • legitimate interests, provided that such interests outweigh reasonably foreseeable adverse effects and are not used to influence behaviour or decisions; and
  • research using de-identified information.

The legitimate interest consent exception is similar to that introduced by Bill C-27, but would also expressly require organizations relying on this basis to conduct a privacy impact assessment. Although clearly inspired by the GDPR, rather than being introduced as an independent legal basis alongside consent, legitimate interest is only an exception to the general rule of consent. Notably, no similar exception is available under the private sector privacy laws of Alberta, British Columbia and Québec, raising questions of interoperability with respect to those laws. It will be interesting to see how this exception operates in practice.

We also note that the PPCDA does not set forth a general requirement to conduct privacy impact assessments in the manner of the GDPR or Québec’s laws as amended by Law 25. It may be that the legislator intends that the more prescriptive approach to consent set forth in the PPCDA will drive organizations toward leveraging the legitimate interest exception, effectively broadening the circumstances in which privacy impact assessments are conducted without making this a more general obligation.

Cross-Border Transfer Assessments

Similarly to requirements under the GDPR and Quebec’s privacy laws as amended by Law 25, under the PPCDA, organizations would be obliged to conduct privacy impact assessments, in accordance with prescribed requirements that would be set by the Governor in Council, and mitigate privacy risks before transferring personal information outside Canada. Bill C-27 did not include such a requirement. This is a significant new obligation for any business desiring to transfer personal information outside Canada, including to service providers and affiliates. Any organization using foreign-hosted cloud platforms or SaaS solutions that process or store personal information, such as payroll systems, HR software, ERP platforms, CRM tools or generative AI services, would be obliged to undertake such assessments.

Right to Deletion

The PPCDA introduces an express right to request disposal (i.e., deletion or anonymization) of personal information. An organization must comply “as soon as feasible” where the information was collected in contravention of the PPCDA; consent has been withdrawn; or the information is no longer necessary for the continued provision of a product or service. The organization must also notify service providers and ensure downstream disposal.

This requirement to dispose and to ensure downstream disposal means that organizations need three things they may not currently have: granular data inventories that track where specific individuals’ information resides across internal and third-party systems; contractual provisions with service providers that actually enable and require disposal on notice; and internal workflows to process requests, cascade them to vendors and confirm completion. 

Children’s Privacy

The PPCDA would introduce a number of provisions intended to provide greater protections for the personal information of children. The PPCDA defines a child as anyone under 18 and designates children’s personal information as sensitive by default, meaning express consent would be required to collect, use or disclose it, and organizations would need to implement stringent safeguards to protect it. In addition, the new regulator must consider “the best interests of children” when exercising any of its powers. There is also a higher bar before a child’s request to delete their data can be refused: an exception that provides for “undue adverse effect on accuracy” does not apply to children’s personal information.

Any organization that interacts with mixed-age audiences would need to operationally determine whether it is collecting children’s data and, if so, consider how best to apply more stringent consent and safeguarding standards.

Automated Decision Systems

Organizations that use automated decision systems to make predictions, recommendations or decisions about individuals with legal or similarly significant effects must prepare for three things operationally: first, they must publicly disclose “a general account” of their use of such systems; second, on request from an affected individual, they must provide an explanation indicating the type of personal information used, its source and the reasons or principal factors that led to the output; and third, they must give the individual an opportunity to make written representations to an employee capable of reviewing the decision. This third requirement distinguishes the PPCDA from Bill C-27 and aligns very closely with the requirements for automated processing introduced in Québec by Law 25.

The PPCDA defines automated decision systems broadly, including any technology that assists or replaces the judgment of human decision-makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other technique. Organizations should note that the definition includes technology that only assists, in contrast to Québec’s Law 25, which restricts the ambit of its requirements to decisions undertaken exclusively by automated processing.

That said, the threshold under the PPCDA is higher than that which Bill C-27 had proposed. Bill C-27 set its trigger at a “significant impact” on individuals. The PPCDA instead engages only where a decision carries a “legal or similarly significant effect,” a formulation inspired by Article 22 of the GDPR. This would exclude some lower-stakes uses of automation, but more material decisioning systems such as AI-driven hiring, credit scoring, insurance underwriting and benefits adjudication would all be captured by these requirements.

Updated Definitions for Personal and Sensitive Information

Although the PPCDA’s definition of “personal information” maintains alignment with the current definition under PIPEDA by including “information about an identifiable individual,” it also expressly includes “information that is inferred about an individual.” 

The OPC has long taken the position that inferences are personal information and has advocated for this to be made express, and the Supreme Court’s understanding of informational privacy includes inferences and assumptions drawn from other information; however, this is the first time that a Canadian statutory definition of personal information expressly includes inferences. Notably, the drafting is neutral as to the nature of the data that may be used to make such inferences, likely in recognition that, in many cases, inferences about an individual may be derived from the personal information of other individuals or from other types of data.

The PPCDA also introduces a definition for “sensitive” personal information that differs from that of PIPEDA, under which any information can be sensitive, depending on the context. 

The new definition permits a similar contextual latitude (“personal information in respect of which, taking into account the circumstances, an individual has a heightened expectation of privacy”), but also enumerates several categories of information that would be presumptively recognized as sensitive, including a child’s personal information and personal information revealing an individual’s racial or ethnic origin, political opinions or religious or philosophical beliefs, trade union membership, genetic information or health information and biometric information that is capable of uniquely identifying the individual and sexual orientation. Many of these have been identified in OPC guidance and findings as sensitive; the list very closely tracks the definition of special category data under the GDPR. Notably, financial information is not listed.

Privacy as a Fundamental Right

Bill C-27’s CPPA referred to a “right of privacy” but faced criticism for not elevating it clearly above the needs of organizations. Bill C-36 is more assertive, at least in principle: privacy is described as a “fundamental right” of individuals in the purpose statement of the PPCDA.

Courts and the Commission would likely apply it as a core interpretive principle. For businesses, the practical effect is this: where the statute requires a balancing of privacy against legitimate interests, business needs or other reasonable requirements of organizations, the fundamental-right framing may tip the analysis toward the protection of individual privacy. Organizations should expect that ambiguous cases may be resolved in favour of privacy protection, and perhaps particularly where children’s information or other sensitive information is involved.

Conclusion

Bill C-36 represents a fundamental shift in Canada’s approach to private sector privacy regulation. The PPCDA’s expanded definitions, prescriptive consent requirements, transparency requirements, mandatory privacy impact assessments for cross-border data transfers and significantly heightened penalties with follow-on class action risk will demand substantial compliance investment from organizations operating in Canada.

Bill C-36 remains at the infancy stage of the legislative process and may undergo material amendments. However, unlike its two predecessors, Bill C-36 was introduced by a majority government. It is therefore significantly more likely to reach the finish line. With the recent introduction of Bill C-34 and the release of Canada’s national AI strategy, the current majority government is sending clear signals that it intends to tackle the challenges posed by present-day technologies and the data flows inherent to their functioning, including by updating Canada’s private sector privacy framework and transforming the regulatory landscape.

In addition, the Commission may take some time after royal assent to become fully operational, and several important aspects of the PPCDA will be left to future regulations and administrative guidance, including requirements relating to privacy impact assessments, elements of the cross-border transfer framework, and the certification programs and codes of practice contemplated by the legislation. As a result, the ultimate contours of Canada’s future privacy regime will likely not be fully known for some time even after the PPCDA comes into force.

That said, organizations doing business in Canada should begin reviewing their privacy governance programs, data inventories, consent mechanisms and cross-border data transfer practices now. Although the details of the regime will continue to evolve, the path ahead is clear: privacy compliance is set to become substantially more prescriptive, more heavily enforced and more consequential.

Davies’ Cybersecurity and Data Privacy group will continue to monitor Bill C-36’s progress through Parliament and, in the months to come, will provide updates and additional insights relating to Bill C-36, Bill C-34 and the national AI for All strategy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More