ARTICLE
1 July 2026

Bill C-36 And PPCDA – What You Need To Know About Potential Changes To Canada’s Federal Privacy Legislation

CW
Clark Wilson LLP

Contributor

Clark Wilson is a multifaceted law firm based in Vancouver, BC with a strong track record of being highly integrated into our clients’ businesses. Known for our industry insight, entrepreneurial culture and strategic networks, we actively seek to connect our clients with the people, resources and solutions they need to succeed.
Organizations that collect, use, or disclose personal information for commercial purposes should be aware of the potential incoming changes to Canadian private sector privacy law. On June 15, 2026, the Government of Canada introduced Bill C-36, marking the government’s third, and possibly most ambitious, attempt at modernizing federal private sector privacy laws.
Canada Privacy
Jeff Holowaychuk’s articles from Clark Wilson LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in United States
  • with readers working within the Banking & Credit, Business & Consumer Services and Healthcare industries

Organizations that collect, use, or disclose personal information for commercial purposes should be aware of the potential incoming changes to Canadian private sector privacy law. On June 15, 2026, the Government of Canada introduced Bill C-36, marking the government’s third, and possibly most ambitious, attempt at modernizing federal private sector privacy laws.

If passed, Bill C-36 will replace the privacy protections found in the Personal Information Protection and Electronic Documents Act S.C 2000 c. 5 (“PIPEDA) with the Protecting Privacy and Consumer Data Act (“PPCDA”). The PPCDA aims to strengthen Canada’s private sector privacy laws in response to the ever-increasing use and presence of data-driven technologies.

The PPCDA builds on Bill C-34, the Safe Social Media Act, which enacts the Digital Safety Act and the Digital Safety Commission of Canada Act. The PPCDA carries over the Digital Safety Commission created in Bill C-34, changes its name to the Digital Safety and Data Protection Commission of Canada (the “Commission”) and carves out a further role for the Commission in privacy enforcement and digital safety. More information on Bill C-34 can be found in our companion article discussing the Safe Social Media Act.

Bill C-34 and the PPCDA are not the first instances of the government pursuing significant changes to entities that conduct privacy oversight and regulation. Notably, Bill C-27 proposed the creation of the Personal Information and Data Protection Tribunal to impose financial penalties and issue orders concerning private-sector privacy violations while leaving the investigation of complaints to the Privacy Commissioner. Rather than following that split, the Commission is tasked with both privacy investigation and enforcement. Moreover, the PPCDA differs from Bill C-27 as it does not include standalone legislation to regulate AI, instead dealing with AI through transparency obligations that require organizations to explain decisions made by automated decision systems.

New Regulator and Oversight Framework

Perhaps the most substantial shift in privacy regulation lies in enforcement. The PPCDA bolsters the available privacy enforcement mechanisms by placing the authority to regulate privacy and digital safety matters solely in the hands of the Commission. The PPCDA creates three bodies focusing on privacy oversight:

  • the Privacy and Consumer Data Commissioner to investigate and informally resolve privacy complaints, enter into compliance agreements, conduct audits and issue notices of contravention;
  • the Commission to make binding orders; and
  • the Privacy and Consumer Data Division to deal with dispute resolution.

The PPCDA departs from PIPEDA’s current model, where the Office of the Privacy Commissioner of Canada investigates and seeks compliance through recommendations. Instead of the recommendation-based commission, the PPCDA:

  • grants the new Commission the authority to make binding orders;
  • authorizes the Commission to penalize non-compliant organizations with maximum fines of up to $10 million or 3% of global revenue;
  • creates a private right of action for consumers impacted by an organization’s actions to seek damages for loss or injury, provided the Commissioner makes a formal finding of contravention of PPCDA (which has not been overturned by a court on appeal);
  • provides further mechanisms of ensuring compliance by punishing serious indictable offences, such as violating whistleblower protections, obstructing privacy investigations or contravening security breach reporting requirements, with a fine of no greater than $25 million or 5% of the organization’s global revenue depending on which amount is higher.

The PPCDA also provides a non-exhaustive list of factors to guide the Commission’s performance of its functions, requiring it to consider the purposes of the PPCDA, the size and revenue of the organization, the volume of personal information under the control of organizations and the sensitivity of that information, the best interests of children, the importance of respecting Canada’s international trade obligations, the importance of supporting economic growth, competition and innovation in the Canadian marketplace and any other matter of general public interest.

Further Crucial Changes in the PPCDA

In addition to increasing the role the Commission plays in enforcing privacy legislation, the PPCDA addresses areas left unclear or unaddressed by PIPEDA:

  • Privacy Management Programs: Organizations are required to implement privacy management programs detailing efforts to protect individuals’ personal information, the process of requesting information and dealing with complaints, specific training requirements for staff, and explanations for policies and procedures surrounding personal information and privacy management.
  • Updated Consent Requirements: Consent under the PPCDA must be valid and generally expressly given unless it is appropriate to rely on implied consent. The PPCDA requires organizations to provide individuals with the purpose of collecting the information, the manner of collection, use or disclosure of the information, any reasonably foreseeable consequences of collecting the information, the specific type of information sought and the names or types of third parties to which the organization may provide the information. All this information must be provided in plain language to individuals.
  • Business Activity and Legitimate Expectations Exceptions: The PPCDA introduces two new exceptions to obtaining consent. Organizations are authorized to collect or use personal information without knowledge or consent where a reasonable person would expect the collection or use of their information for the business activity in question and the information is not used to influence an individual’s behaviour or decisions. Moreover, the PPCDA allows organizations to collect, use and disclosure personal information if they have a legitimate interest that outweighs reasonably foreseeable adverse effects to the individual. To rely on this exception, an organization must identify the legitimate interest, conduct a privacy impact assessment and take reasonable measures to reduce the risk of negatively impacting individuals.
  • De-identification and Anonymization: The PPCDA formally distinguishes between de-identified and anonymized data. Anonymized data is permanently modified to remove any reasonably foreseeable risk that an individual can be identified, at which point it is no longer subject to the PPCDA. De-identified data, which is still considered to be personal information for the purposes of the PPCDA, temporarily prevents an individual from being directly identified where the risk of being identified remains. Organizations may use personal information to de-identify data and may use such data for internal research and development without an individual’s consent. However, the PPCDA prohibits the use of de-identified data to re-identify individuals.
  • Right to request disposal of personal information: PIPEDA gave consumers the right to access their data from organizations and challenge its accuracy but lacked explicit tools to request its deletion. The PPCDA provides these tools by introducing a right to request the disposal or deletion of personal information if consent is withdrawn or if the data is no longer needed.
  • Disclosure or Transfer Outside of Canada: The PPCDA requires organizations to conduct a privacy impact assessment before disclosing or transferring personal information outside of Canada.
  • Automated Decision Systems: An organization using automated decision systems or AI to make decisions that have a legal or significant effect on an individual must provide the individual with an explanation of how the decision was made, the data used and the principal factors involved.
  • Data Mobility Framework: Individuals will have the right to have an organization securely transfer their data directly to another designated organization.

Key Takeaways

While the PPCDA is not yet in effect, the proposed bill, if enacted, will shift the landscape of private sector privacy law. Organizations that handle personal information should consider how the new obligations and oversight mechanisms implemented by the PPCDA will impact their operations, particularly the introduction of the privacy management programs, consent requirements and the considerations around de-identifying and anonymizing data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More