Bill C-36: What Organizations Need to Know About Canada’s New Privacy Reform

Key takeaways

• Bill C-36 introduces the Protecting Privacy and Consumer Data Act (PPCDA), replacing key provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA).
• A new regulator, the Digital Safety and Data Protection Commission of Canada, will oversee the new regime with strong enforcement powers.
• Organizations will face new consent requirements and compliance obligations.

The bill

On June 15, 2026 Canada’s Minister of Artificial Intelligence and Digital Innovation Evan Solomon introduced Bill C-36: An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (“Bill C-36” or “PPCDA”).

PPCDA marks the government’s third attempt to overhaul Canada’s federal private sector privacy legislation and to modernize the country’s privacy framework for the digital age. Introduced as Bill C-36, the legislation would replace the privacy provisions of PIPEDA with a new regime designed to respond to what the government describes as today’s “data-driven economy”, including the growing use of automated decision-making, children’s online data, and increasingly sophisticated uses of personal information.

Why this matters

Bill C-36 is the most consequential proposed reform of Canada’s private-sector privacy law in more than 20 years. If enacted, it would change how organizations collect, use, and govern personal information, including through new accountability obligations, new requirements relating to automated decision-making and children’s privacy, and increased scrutiny of cross-border data practices.

At its core, PPCDA seeks to balance individual’s privacy rights and organizations’ need to collect, use, and disclose personal information for reasonable purposes. Among other things, it would:

• recognize privacy as a “fundamental right”;
• require express consent by default and plain-language explanations;
• create new exceptions to the consent requirement, including a new legitimate interest exception;
• create new privacy impact assessment and privacy management program requirements;
• create a right to request deletion of personal information in certain circumstances;
• support data mobility; and
• impose higher standards for children’s personal information.

It would also introduce new transparency requirements for automated decision systems and address potentially unfair uses of data, including surveillance pricing.

PPCDA would also reshape privacy enforcement in Canada. Oversight would shift to a new Digital Safety and Data Protection Commission of Canada with authority to issue binding orders and pursue significant penalties for non-compliance, including fines up to the greater of $10 million and 3% of an organization’s gross annual global revenue.

This post provides a high-level overview. We will explore these and other topics in-depth in the coming weeks.

Bill C-36: New Oversight Structure

PPCDA contemplates a new oversight structure headed by the Canadian Digital Safety and Data Protection Commission, a new independent regulator responsible for administering both PPCDA and the Digital Safety Act. Its mandate would include developing guidance and standards, assessing compliance, conducting audits and inspections, administering complaints, coordinating with other regulators, and enforcing legal obligations through compliance orders and administrative monetary penalties.

To support privacy oversight, the legislation would create a designated Privacy and Consumer Data Commissioner within the Commission to lead enforcement of PPCDA, supported by specialized privacy expertise. A Privacy and Consumer Data Division would also be established within the Commission to support privacy-related review, adjudicative functions, and other functions.

The creation of the Commission represents a departure from the framework proposed in the previous Bill C-27, which would have divided privacy enforcement responsibilities between the Privacy Commissioner and a separate tribunal. PPCDA instead brings those functions into a more integrated institutional framework intended to support more coordinated oversight of privacy and digital safety issues.

For organizations, the practical implication is the emergence of a broader digital regulator with responsibility for both privacy and online safety matters, supported by binding order-making powers and significant administrative monetary penalties for non-compliance.

How Bill C-36 changes PIPEDA

PIPEDA provides the current federal framework for private sector privacy regulation. Under that regime, the Office of the Privacy Commissioner of Canada serves as the primary federal privacy regulator. The Privacy Commissioner investigates complaints, conducts audits, promotes compliance, publishes guidance and research, and may seek remedies through court proceedings. Although the Commissioner has broad investigative powers, PIPEDA has historically operated as a collaborative and compliance-focused model centred on recommendations, guidance, and negotiated resolution.

PPCDA marks a departure from that framework. Rather than centring privacy regulation on the Privacy Commissioner, the legislation would place privacy oversight within the Digital Safety and Data Protection Commission of Canada, a broader regulator responsible for both privacy and digital safety matters.

The significance of this change lies not only in the substantive privacy obligations proposed by PPCDA, but also in the structure of the regulatory framework itself. Compared with PIPEDA, PPCDA would introduce a more centralized administrative framework that integrates privacy oversight within a broader digital regulator and supports greater coordination across privacy, digital safety, competition, and communications issues.

More broadly, PPCDA reflects a regulatory approach that treats privacy as increasingly interconnected with other digital policy concerns. It would situate privacy regulation within a wider framework designed to address overlapping issues across the digital ecosystem.

Consent, Privacy Management, and Other Obligations

The legislation would also create new privacy obligations and modify existing privacy obligations, including:

• Mandatory privacy management program (s. 9) —organizations must implement and maintain documented policies, practices and procedures, scaled to data volume and sensitivity, and produce it to the Commission upon request.
• Consent overhaul (ss. 15-17) — organizations must obtain an individual’s valid consent for the collection, use, or disclosure of personal information; organizations must provide plain language explanations in obtaining that consent; and express consent is the default, though implied consent may be appropriate in some circumstances.
• Consent exceptions — Consent is not required for specified “business activities” (s. 18(2)) and where a “legitimate interest” exists (s. 18(3)), subject to a documented privacy impact assessment and other conditions.
• Right to disposal / deletion (s. 54) — individuals can require deletion of their personal information, subject to enumerated exceptions.
• Data mobility (s. 72) — organizations must, on request, transfer an individual’s data to another designated organization where both are subject to a data-mobility framework (details left to regulation).
• Cross-border transfers (s. 57) — a privacy impact assessment is required before disclosing/transferring personal information outside of Canada.

The baseline rules on valid consent, required disclosures for valid consent, plain-language disclosure, express versus implied consent, anti-bundling, anti-deception, and withdrawal of consent remain substantially aligned with the Bill C-27 structure in ss. 15-17. The more meaningful changes from Bill C-27 to Bill C-36 are in the compliance provisions.

Compared with PIPEDA, Bill C-36 adopts a more prescriptive approach: whereas PIPEDA relies on broad principles, Bill C-36 codifies those concepts in operative provisions and layers on more detailed compliance requirements. If enacted, the practical effect would likely be a more documented, process-driven, and regulator-facing compliance model that requires more robust consent language and stronger internal documentation for legitimate-interest assessments and other exceptions.

Next Legislative Steps

The bill is only at first reading. It still must pass second reading, committee study, third reading, the full Senate process, and receive royal assent before becoming law. The bill may be amended in that process.

Substantial detail is deferred to regulations, including data-mobility frameworks, prescribed “business activities”, breach-reporting form and content, security-safeguard standards, and more. The practical compliance burden will not be fully knowable until those regulations are published. In addition, a mandatory five-year parliamentary review is built in.

What Organizations Should Do Now

• Stay Aware of Changes – We will be publishing posts explaining PPCDA in-depth and sharing updates about coming-into-force. Please consider subscribing using the information below.
• Prepare for the Changes - Organizations should plan for significant compliance efforts under PPCDA, including updated consent and plain-language notice practices, new deletion and data mobility rights, and enhanced protections for children’s personal information.
• Prepare for Consultations – Organizations should be considering the impact the legislation will have on them and, if appropriate, the value of advocating for improvements and clarifications.

To follow the updates, subscribe to TechLex (below) or contact our Cyber/Data Group for assistance on navigating this complex new regime.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover