Canada’s New Privacy Regulator: Why Bill C-36’s Institutional Shift is a Game Changer

Canada's proposed overhaul of its federal privacy regime would merge privacy oversight into a broader mandate to prevent online harm. A new Digital Safety and Data Protection Commission would hold that dual mandate. It would also have strong enforcement powers: the ability to make binding orders and issue large penalties.
Bill C-36’s Institutional Shift: What’s Changing?
Canada’s proposed Protecting Privacy and Consumer Data Act (“PPCDA”), if enacted, would represent what the federal government describes as the most significant change to Canada’s private-sector privacy law in more than 25 years.
Among the most consequential changes is the creation of a new federal privacy regulator: the Digital Safety and Data Protection Commission of Canada (the “Commission”). The Commission would administer the PPCDA and also have responsibility for the Digital Safety Act proposed under Bill C-34, a dual mandate the government says is intended to support coherence across digital frameworks, including on issues such as age assurance, synthetic content (e.g., deepfakes or other audio or visual depiction of a person, object, or event that is created or heavily manipulated by electronic means), and children’s safety online.
Within that Commission, a designated Privacy and Consumer Data Commissioner (the “Commissioner”) would lead PPCDA oversight and enforcement, supported by specialized privacy expertise. A Privacy and Consumer Data Division would also sit within the Commission’s structure, forming part of the new review and enforcement architecture contemplated by Bill C-36.
Bill C-36’s Institutional Shift at a Glance:
- Bill C-36 would transfer federal private-sector privacy oversight from the Office of the Privacy Commissioner of Canada (“OPC”) to the proposed Digital Safety and Data Protection Commission of Canada.
- The proposed Commission would have stronger regulatory and enforcement powers, including the ability to issue binding orders and impose administrative monetary penalties.
- Bill C-36 would situate privacy within a broader digital governance framework, creating a more integrated regulatory approach to interconnected digital issues.
- The OPC would continue to exist and retain responsibility for public-sector oversight under the Privacy Act.
From Ombuds-style Oversight to Regulator-backed Enforcement
The current OPC model has two defining features. First, the OPC is an Agent of Parliament. Agents of Parliament are parliamentary entities, not government entities, and are responsible directly to both Houses of Parliament; they have independence from government.
Second, under PIPEDA, federal private-sector privacy enforcement is ombuds-like rather than prosecutorial: the OPC investigated, reported, guided and, where it saw fit, sought court remedies, but it did not itself impose the kind of binding orders and revenue-based penalties now contemplated under Bill C-36.
The PPCDA would change that enforcement regime as we explained in Bill C-36: What Organizations Need to Know About Canada’s New Privacy Reform. Notably, the Commission would have the ability to impose administrative monetary penalties of up to the greater of $10 million or 3% of global revenue, with fines for the most serious offences reaching the greater of $25 million or 5% of global revenue.
The OPC has been an internationally prominent and respected privacy authority. For example, in 2025, the current Privacy Commissioner of Canada was elected Chair of the Global Privacy Assembly, a leading international forum made up of more than 130 data protection and privacy authorities and observers.
The Independence Question
Aspects of the Commissioner that make it less independent than the OPC include more Cabinet control over appointment and dismissal, a lack of a fixed term, no direct reporting to Parliament (instead reporting through the Minister) and the ability of the Minister to direct certain actions of the Commissioner.
Some critics argue less independence risks weakening Canada’s standing in the privacy world. Concerns about independence are fair because privacy law is not merely consumer regulation. It protects a fundamental interest in autonomy, dignity, and informational control that should be insulated from excessive government interference.
But the independence analysis should distinguish between public-sector oversight and private-sector regulation. The strongest traditional rationale for an Agent of Parliament[1] is that the regulator may need to scrutinize government itself.
Where the regulator investigates federal institutions, independence from government is essential. That is precisely why the OPC’s public-sector role under the Privacy Act has such institutional logic and Bill C-36 will not change that. In fact, at present, the OPC is the only Agent of Parliament that has direct oversight of the private sector; all others primarily regulate the public sector.[2]
Why Centralization is a Game Changer
There is a strong practical argument for the new model. Privacy increasingly intersects with digital safety, AI governance, children’s online protection, age assurance, platform accountability, competition, consumer protection, cybersecurity, and data mobility. The government’s stated rationale is that one Commission can create greater coherence across broad digital issues and draw on diverse expertise within a single regulator.
For legal advisors and executives, that may be helpful. A unified regulator could reduce fragmented enforcement paths, develop integrated guidance, and assess privacy risks in the broader context in which modern organizations actually operate.
A privacy issue involving a social platform, age assurance, automated recommendations, targeted advertising, and children’s data is rarely “only” a privacy issue. It is often also a digital safety, consumer protection, platform governance, and innovation issue.
Bill C-36’s design reflects that reality. The proposed Commission, Commissioner, and Division would be required to consider factors such as the purpose of the Act, the size and revenue of organizations, the volume and sensitivity of personal information, the best interests of children, Canada’s international trade obligations, economic growth, competition, innovation, and other public-interest considerations. That is a striking institutional signal. It suggests that private-sector privacy enforcement would be expressly situated within a broader policy framework, rather than treated as a standalone rights-enforcement silo.
This may be positive in the private-sector context if it produces proportionate, practical, and commercially realistic enforcement. It could also support clearer guidance for small and medium-sized businesses, responsible innovation, certification programs, privacy-enhancing technologies, and cross-border risk mitigation (i.e., all goals the government has associated with the PPCDA).
Political, Trade, and Cross-border Considerations
Centralization also has consequences on the broader economy and international relations. Prior OPC enforcement has involved major foreign technology companies and globally significant digital practices. To illustrate with a few examples:
- the OPC launched an investigation into OpenAI in 2023 after a complaint alleging collection, use, and disclosure of personal information without consent, which culminated in a publication of a critical report of findings in 2026.
- Canadian privacy authorities also found Clearview AI’s scraping of billions of facial images to be unlawful mass surveillance, involving sensitive biometric information and a New York-based company’s services offered to Canadian law enforcement and other organizations.
- A joint investigation into TikTok found inadequate measures to keep children off the platform and concerns regarding the collection and use of children’s sensitive personal information for profiling and targeting purposes.
- The OPC’s Facebook/Cambridge Analytica litigation also led to a 2024 Federal Court of Appeal ruling acknowledging that international data giants whose business models rely on user data must respect Canadian privacy law.
These matters demonstrate why privacy enforcement can have implications beyond domestic compliance. Enforcement against foreign technology platforms may affect data flows, market access, public trust, and trade-sensitive digital policy.
Bill C-36 does not say that enforcement should be diluted for trade reasons. But by implicitly embedding international trade obligations, innovation, competition, and economic growth into the regulator’s decision-making frame by virtue of a less independent governance structure, it makes those considerations part of the institutional architecture. Legal advisors should therefore expect privacy enforcement strategy to become more closely connected to broader (inter)national policy and cross-border data strategy.
Practical Implications for Businesses: What Organizations Should Do Now
For organizations, the central message is readiness. If Bill C-36 is enacted, they should be prepared for a more enforcement-oriented privacy regime.
Organizations can expect:
Stronger regulatory tools, including:
- binding orders;
- administrative monetary penalties;
- audits;
- compliance agreements; and
- more formal enforcement pathways.
Expanded compliance expectations and bureaucracy, including:
- privacy management programs;
- clearer consent;
- privacy impact assessments in important contexts;
- deletion rights;
- automated decision transparency;
- cross-border transfer assessments; and
- stronger protections for children’s data.
Priority Actions for Legal and Compliance Teams
Businesses will need to treat privacy as a board-level governance issue. Legal and compliance teams have a big task ahead of them. They will need to:
- map personal information;
- identify high-risk uses;
- document legitimate-interest and cross-border assessments;
- review automated decision systems;
- assess children’s data exposure (as applicable); and
- prepare for a regulator that may look at privacy alongside online safety, AI, consumer protection, competition, and telecommunications concerns.
What Success Will Require
The institutional shift is not risk-free. The effectiveness of the new model will require safeguards such as:
- transparent appointments;
- functional separation between guidance and enforcement;
- real privacy expertise;
- adequate resourcing; and
- maintaining credibility with provincial and international privacy authorities.
But in the private-sector context, a more centralized regulator could be a constructive development if it delivers stronger enforcement, clearer guidance, and more coherent digital governance.
The challenge for Parliament will be to preserve what made the OPC respected (i.e., expertise, independence of judgment, and rights-based credibility) while building a regulator capable of governing data in a more complex, interconnected digital economy.
For questions about Bill C‑36 and its potential implications for your organization, please contact a member of our Cyber/Data group.
[1] There are currently nine Officers or Agents of Parliament: Auditor General of Canada; Chief Electoral Officer of Canada; Commissioner of Official Languages; Information Commissioner of Canada; Privacy Commissioner of Canada; Conflict of Interest and Ethics Commissioner; Commissioner of Lobbying of Canada; Public Sector Integrity Commissioner of Canada; and Parliamentary Budget Officer.
[2] Other Officers or Agents of Parliament have indirect oversight of the private sector. The Commissioner of Lobbying of Canada Regulates the conduct of lobbyists, including consultant lobbyists and corporations/organizations that lobby the federal government. This is oversight of lobbying activity rather than regulation of the private sector's commercial conduct. The Auditor General of Canada may also have indirect oversight of recipients of public funds in limited circumstances.
Stay Connected
All form fields are required "*"

