DLA Piper (Canada) LLP | View firm profile
The bill arrives on the heels of the government’s AI for All: Canada’s National Artificial Intelligence Strategy, which signalled that AI-related risks would be addressed through targeted legislation, including promised privacy modernization, rather than through standalone AI regulation. We discussed the strategy’s key commitments, regulatory gaps, and implications for organizations in a recent bulletin. It also follows the recent introduction of Bill C-34, the Safe Social Media Act, which establishes the Digital Safety Commission of Canada and imposes digital safety obligations on social media platforms, chatbot services, and other online services. Bill C-36 builds on that institutional foundation by expanding the mandate of the Digital Safety Commission to encompass data protection, renaming it the Digital Safety and Data Protection Commission of Canada.
A third attempt at Federal privacy reform
Bill C-36 is the third attempt in six years to modernize PIPEDA. Bill C-11, the Digital Charter Implementation Act, 2020, was introduced in the 43rd Parliament but died on the order paper in 2021 when a federal election was called. Bill C-27, the Digital Charter Implementation Act, 2022, was introduced in June 2022 as a more ambitious successor and advanced through committee study before Parliament was prorogued in January 2025, killing the bill.
The previous Bill C-27 was a three-part omnibus bill: Part 1 would have enacted the Consumer Privacy Protection Act (CPPA), Part 2 would have established a Personal Information and Data Protection Tribunal, and Part 3 would have enacted the Artificial Intelligence and Data Act (AIDA). As we noted when Parliament was prorogued in January 2025, the bill’s demise left Canada without specific and broad-based federal AI regulation and delayed PIPEDA modernization for a second time. The new Bill C-36, by contrast, is a narrower and more focused instrument. It enacts only the privacy legislation and leaves artificial intelligence regulation to be addressed through other means—a deliberate shift that reflects industry criticism of AIDA as potentially more restrictive than the European Union’s AI Act, as well as the government’s stated preference for an incremental, multi-bill approach.
Key differences from Bill C-27
While much of Bill C-36’s substantive privacy framework will be familiar to those who followed the previous Bill C-27, the new legislation introduces several notable changes.
Privacy as a fundamental right
The previous Bill C-27’s purpose clause recognized “the right of privacy of individuals with respect to their personal information.” The new Bill C-36 elevates this language, recognizing the “fundamental right of privacy of individuals with respect to their personal information.” While some experts already argue that this change is more rhetorical than substantive, it aligns the legislation with the government’s position in the AI for All strategy.
A new enforcement body will replace the Tribunal model
Perhaps the most significant structural change is the elimination of the Personal Information and Data Protection Tribunal that Bill C-27 would have created. Under the previous Bill C-27, the Privacy Commissioner would investigate complaints and make findings, but penalties could only be imposed by the separate Tribunal on the Commissioner’s recommendation. Critics argued that this split weakened enforcement and slowed the path to resolution.
The new Bill C-36 takes a different approach. It houses privacy oversight within the new Digital Safety and Data Protection Commission of Canada, the same body established by the Safe Social Media Act. The Digital Safety and Data Protection Commission of Canada will include a dedicated Privacy and Consumer Data Commissioner and a specialized Privacy and Consumer Data Division. The Commission itself will have the power to issue binding orders, impose penalties, and conduct audits: in effect, consolidating functions that the previous Bill C-27 had split across three bodies.
No standalone AI legislation
The previous Bill C-27 included AIDA as its Part 3, which would have created a framework for regulating high-impact AI systems, including requirements for risk assessments, record-keeping, and publication of system descriptions. The new Bill C-36 does not include any equivalent. Instead, the AI for All strategy signals that AI governance will be addressed through a combination of existing and forthcoming instruments, including privacy modernization, online safety legislation, and sector-specific measures.
Enhanced penalties
The previous Bill C-27 capped administrative monetary penalties at the greater of $10,000,000 and 3% of the organization’s gross global revenue, with criminal fines of up to $25,000,000 or 5% of global revenue for the most serious offences. The new Bill C-36 maintains that same penalty structure: administrative monetary penalties of up to the greater of $10,000,000 and 3% of global revenue, and criminal fines of up to the greater of $25,000,000 and 5% of global revenue on indictment or the greater of $20,000,000 and 4% on summary conviction. What has changed is how penalties are imposed: they no longer require a separate tribunal proceeding, which may make enforcement faster and more direct.
Private right of action refined
Both bills include a private right of action allowing individuals to seek damages for contraventions. Under the new Bill C-36, the right of action is available once a contravention has been established through the regulatory process—whether by the Commissioner’s finding, the Commission’s review decision, or a Federal Court ruling on appeal—and must be brought within two years after the individual becoming aware of the relevant decision.
Cross-border transfers and digital sovereignty
The new Bill C-36 introduces an explicit requirement that organizations disclose or transfer personal information outside Canada only after assessing and mitigating any privacy risks associated with the transfers. While the previous Bill C-27 addressed international transfers, Bill C-36’s framing reflects the government’s heightened emphasis on data sovereignty, a theme that runs through the AI for All strategy’s focus on sovereign infrastructure and treating data as a “strategic national asset.”
Children’s information
The previous Bill C-27 treated minors’ personal information as inherently sensitive. The new Bill C-36 goes a step further, with the government describing the legislation as placing “particular focus on children’s personal information” and requiring organizations to meet a higher standard when handling such information. The bill also requires the Commissioner to take into account “the best interests of children” in exercising any powers or performing any duties under the Act.
Surveillance pricing
The government backgrounder specifically identifies “inappropriate surveillance pricing” as an example of unfair uses of personal information that the PPCDA is designed to address. This is a timely issue that has attracted regulatory attention in the United States and elsewhere, and its explicit mention signals that the government views dynamic pricing based on personal data profiling as an area ripe for legislative intervention.
Automated decision system transparency
Both bills require organizations to disclose their use of automated decision systems, but the new Bill C-36 adjusts the threshold language. The previous Bill C-27 applied the obligation to systems that “could have a significant impact” on individuals; the new Bill C-36 narrows this requirement to systems that “could have a legal or similarly significant effect” on them. The shift toward “legal or similarly significant effect” more closely mirrors GDPR language and may meaningfully redefine the scope of the obligation.
De-identification framework
Bill C-36 carries forward the distinction between de-identification and anonymization, and confirms that de-identified personal information does not cease to be personal information. The bill also includes a prohibition on re-identifying de-identified information, subject to enumerated exceptions—including testing the fairness and accuracy of models developed using de-identified data, testing the effectiveness of de-identification processes, and complying with legal requirements. This framework is a key feature for organizations relying on privacy-enhancing technologies for research and development.
Continuity with Bill C-27
Many core features of the previous Bill C-27’s privacy framework are carried forward, including the privacy management program requirement, meaningful consent obligations with transparency requirements in plain language, expanded consent exceptions for business activities, research and de-identification, data mobility frameworks, breach notification to the regulator and affected individuals, codes of practice and certification programs, and the right to request disposal of personal information.
Why it matters
For organizations currently subject to PIPEDA, the practical implications of Bill C-36 will depend on how quickly it advances through Parliament and, ultimately, on the regulations and guidance that follow. A number of key points are worth noting now:
- Enforcement is likely to be more direct and efficient under the new Commission model, with binding orders and penalties available without requiring a separate tribunal proceeding. Organizations should not assume the same pace that characterized enforcement under PIPEDA.
- The absence of standalone AI legislation does not mean the absence of AI-related obligations. Privacy obligations, particularly around appropriate purposes, transparency concerning automated decision systems, and de-identification, will apply to AI-driven data practices directly. Organizations should expect overlapping compliance obligations across the regulatory landscape.
- Organizations that followed the previous Bill C-27’s progress closely and adjusted their privacy programs accordingly are well-positioned. The substantive obligations are largely familiar. What has changed most significantly is the institutional architecture: who enforces the rules, how quickly they can act, and how directly consequences follow.
- The new Bill C-36 received first reading on June 15, 2026. The government has indicated it will consult stakeholders on the transition to the new regulator. As noted above, its coming into force is contingent on the enactment and the commencement of Bill C-34. We will continue to monitor both bills as they progress through Parliament.
For further information, please contact any member of our Data Protection, Privacy and Cybersecurity team.