{"id":57390,"date":"2026-06-22T09:18:44","date_gmt":"2026-06-22T09:18:44","guid":{"rendered":"https:\/\/my.legal500.com\/developments\/?post_type=legal_developments&p=57390"},"modified":"2026-06-22T09:18:57","modified_gmt":"2026-06-22T09:18:57","slug":"canada-tables-bill-c-36-the-protecting-privacy-and-consumer-data-act","status":"publish","type":"legal_developments","link":"https:\/\/my.legal500.com\/developments\/thought-leadership\/canada-tables-bill-c-36-the-protecting-privacy-and-consumer-data-act\/","title":{"rendered":"Canada tables Bill C-36: The Protecting Privacy and Consumer Data Act"},"content":{"rendered":"
\n
\n
\n
On June 15, 2026, the Minister of Artificial Intelligence and Digital Innovation introduced Bill C-36, an Act to enact the <\/span>Protecting Privacy and Consumer Data Act\u00a0<\/em>(PPCDA). If passed, the PPCDA would replace Part 1 of the\u00a0<\/span>Personal Information Protection and Electronic Documents Act<\/em>\u00a0(PIPEDA), Canada\u2019s 25-year-old federal private-sector privacy law, with a modernized framework that recognizes privacy as a fundamental right, creates a new regulator, and introduces significantly enhanced enforcement tools.<\/span><\/strong><\/div>\n
<\/div>\n<\/div>\n<\/div>\n<\/div>\n

<\/p>\n

\n
\n
\n
\n
\n

The bill arrives on the heels of the government\u2019s\u00a0AI for All: Canada\u2019s National Artificial Intelligence Strategy<\/em>, which signalled that AI-related risks would be addressed through targeted legislation, including promised privacy modernization, rather than through standalone AI regulation. We discussed the strategy\u2019s key commitments, regulatory gaps, and implications for organizations in a\u00a0recent bulletin<\/a>. It also follows the recent introduction of\u00a0Bill C-34<\/a>, the\u00a0Safe Social Media Act<\/em>, which establishes the Digital Safety Commission of Canada and imposes digital safety obligations on social media platforms, chatbot services, and other online services. Bill C-36 builds on that institutional foundation by expanding the mandate of the Digital Safety Commission to encompass data protection, renaming it the Digital Safety and Data Protection Commission of Canada.<\/p>\n

A third attempt at Federal privacy reform<\/strong><\/p>\n

Bill C-36 is the third attempt in six years to modernize PIPEDA.\u00a0Bill C-11<\/a>, the\u00a0Digital Charter Implementation Act, 2020<\/em>, was introduced in the 43rd Parliament but died on the order paper in 2021 when a federal election was called. Bill C-27, the Digital Charter Implementation Act, 2022, was introduced in June 2022 as a more ambitious successor and advanced through committee study before Parliament was prorogued in January 2025, killing the bill.<\/p>\n

The previous Bill C-27 was a three-part omnibus bill: Part 1 would have enacted the\u00a0Consumer Privacy Protection Act\u00a0<\/em>(CPPA), Part 2 would have established a\u00a0Personal Information and Data Protection Tribunal<\/em>, and Part 3 would have enacted the\u00a0Artificial Intelligence and Data Act<\/a><\/em>\u00a0(AIDA). As we noted when\u00a0Parliament was prorogued in January 2025<\/a>, the bill\u2019s demise left Canada without specific and broad-based federal AI regulation and delayed PIPEDA modernization for a second time. The new Bill C-36, by contrast, is a narrower and more focused instrument. It enacts only the privacy legislation and leaves artificial intelligence regulation to be addressed through other means\u2014a deliberate shift that reflects industry criticism of AIDA as potentially more restrictive than the European Union\u2019s AI Act, as well as the government\u2019s stated preference for an incremental, multi-bill approach.<\/p>\n

Key differences from Bill C-27<\/strong><\/p>\n

While much of Bill C-36\u2019s substantive privacy framework will be familiar to those who followed the previous Bill C-27, the new legislation introduces several notable changes.<\/p>\n

Privacy as a fundamental right<\/em><\/p>\n

The previous Bill C-27\u2019s purpose clause recognized \u201cthe right of privacy of individuals with respect to their personal information.\u201d The new Bill C-36 elevates this language, recognizing the \u201cfundamental right of privacy of individuals with respect to their personal information.\u201d While some experts already argue that this change is more rhetorical than substantive, it aligns the legislation with the government\u2019s position in the\u00a0AI for All strategy<\/em>.<\/p>\n

A new enforcement body will replace the Tribunal model<\/em><\/p>\n

Perhaps the most significant structural change is the elimination of the Personal Information and Data Protection Tribunal that Bill C-27 would have created. Under the previous Bill C-27, the Privacy Commissioner would investigate complaints and make findings, but penalties could only be imposed by the separate Tribunal on the Commissioner\u2019s recommendation. Critics argued that this split weakened enforcement and slowed the path to resolution.<\/p>\n

The new Bill C-36 takes a different approach. It houses privacy oversight within the new Digital Safety and Data Protection Commission of Canada, the same body established by the Safe Social Media Act. The Digital Safety and Data Protection Commission of Canada will include a dedicated Privacy and Consumer Data Commissioner and a specialized Privacy and Consumer Data Division. The Commission itself will have the power to issue binding orders, impose penalties, and conduct audits: in effect, consolidating functions that the previous Bill C-27 had split across three bodies.<\/p>\n

No standalone AI legislation<\/em><\/p>\n

The previous Bill C-27 included AIDA as its Part 3, which would have created a framework for regulating high-impact AI systems, including requirements for risk assessments, record-keeping, and publication of system descriptions. The new Bill C-36 does not include any equivalent. Instead, the\u00a0AI for All strategy<\/em>\u00a0signals that AI governance will be addressed through a combination of existing and forthcoming instruments, including privacy modernization, online safety legislation, and sector-specific measures.<\/p>\n

Enhanced penalties<\/em><\/p>\n

The previous Bill C-27 capped administrative monetary penalties at the greater of $10,000,000 and 3% of the organization\u2019s gross global revenue, with criminal fines of up to $25,000,000 or 5% of global revenue for the most serious offences. The new Bill C-36 maintains that same penalty structure: administrative monetary penalties of up to the greater of $10,000,000 and 3% of global revenue, and criminal fines of up to the greater of $25,000,000 and 5% of global revenue on indictment or the greater of $20,000,000 and 4% on summary conviction. What has changed is how penalties are imposed: they no longer require a separate tribunal proceeding, which may make enforcement faster and more direct.<\/p>\n

Private right of action refined<\/em><\/p>\n

Both bills include a private right of action allowing individuals to seek damages for contraventions. Under the new Bill C-36, the right of action is available once a contravention has been established through the regulatory process\u2014whether by the Commissioner\u2019s finding, the Commission\u2019s review decision, or a Federal Court ruling on appeal\u2014and must be brought within two years after the individual becoming aware of the relevant decision.
\n
\nCross-border transfers and digital sovereignty<\/em><\/p>\n

The new Bill C-36 introduces an explicit requirement that organizations disclose or transfer personal information outside Canada only after assessing and mitigating any privacy risks associated with the transfers. While the previous Bill C-27 addressed international transfers, Bill C-36\u2019s framing reflects the government\u2019s heightened emphasis on data sovereignty, a theme that runs through the AI for All strategy\u2019s focus on sovereign infrastructure and treating data as a \u201cstrategic national asset.\u201d<\/p>\n

Children\u2019s information<\/em><\/p>\n

The previous Bill C-27 treated minors\u2019 personal information as inherently sensitive. The new Bill C-36 goes a step further, with the government describing the legislation as placing \u201cparticular focus on children\u2019s personal information\u201d and requiring organizations to meet a higher standard when handling such information. The bill also requires the Commissioner to take into account \u201cthe best interests of children\u201d in exercising any powers or performing any duties under the Act.<\/p>\n

Surveillance pricing<\/em><\/p>\n

The government backgrounder specifically identifies \u201cinappropriate surveillance pricing\u201d as an example of unfair uses of personal information that the PPCDA is designed to address. This is a timely issue that has attracted regulatory attention in the United States and elsewhere, and its explicit mention signals that the government views dynamic pricing based on personal data profiling as an area ripe for legislative intervention.<\/p>\n

Automated decision system transparency<\/em><\/p>\n

Both bills require organizations to disclose their use of automated decision systems, but the new Bill C-36 adjusts the threshold language. The previous Bill C-27 applied the obligation to systems that \u201ccould have a significant impact\u201d on individuals; the new Bill C-36 narrows this requirement to systems that \u201ccould have a legal or similarly significant effect\u201d on them. The shift toward \u201clegal or similarly significant effect\u201d more closely mirrors GDPR language and may meaningfully redefine the scope of the obligation.<\/p>\n

De-identification framework
\n<\/em>
\nBill C-36 carries forward the distinction between de-identification and anonymization, and confirms that de-identified personal information does not cease to be personal information. The bill also includes a prohibition on re-identifying de-identified information, subject to enumerated exceptions\u2014including testing the fairness and accuracy of models developed using de-identified data, testing the effectiveness of de-identification processes, and complying with legal requirements. This framework is a key feature for organizations relying on privacy-enhancing technologies for research and development.<\/p>\n

Continuity with Bill C-27<\/em><\/p>\n

Many core features of the previous Bill C-27\u2019s privacy framework are carried forward, including the privacy management program requirement, meaningful consent obligations with transparency requirements in plain language, expanded consent exceptions for business activities, research and de-identification, data mobility frameworks, breach notification to the regulator and affected individuals, codes of practice and certification programs, and the right to request disposal of personal information.<\/p>\n

Why it matters<\/strong><\/p>\n

For organizations currently subject to PIPEDA, the practical implications of Bill C-36 will depend on how quickly it advances through Parliament and, ultimately, on the regulations and guidance that follow. A number of key points are worth noting now:<\/p>\n