Canada’s Privacy Reset: Bill C-36 to Rewrite the Digital Rulebook

Background

On June 15, 2026, Canada’s Minister of Artificial Intelligence and Digital Innovation tabled Bill C-36: An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (“Bill C-36”). Bill C-36 proposes to enact the Protecting Privacy and Consumer Data Act (“PPCDA”), replacing key provisions of Canada’s existing privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

The proposed legislation represents the most significant modernization of Canada’s private sector privacy framework in more than 20 years. It is designed to strengthen the protection of Canadians’ personal information in an increasingly data driven economy in light of the growing use of artificial intelligence and automated decision-making systems. The new framework emphasizes clearer regulatory boundaries, increased organizational accountability and enhanced protections for sensitive data, including children’s personal information. 

Bill C-36 reflects a policy objective of enhancing public trust in digital technologies through clearer rules, stronger enforcement and expanded individual rights. If enacted, the proposed PPCDA would change the regulatory requirements on Canadian businesses when collecting, using and disclosing personal information. We discuss some of the key changes proposed by Bill C-36 below. 

Key proposed changes

If enacted, Bill C-36 would significantly modernize Canada’s private sector privacy regime by strengthening individual rights, expanding regulatory enforcement powers, and imposing more prescriptive organizational compliance obligations.

The proposed bill explicitly recognizes privacy as a “fundamental right” and expands an individual’s right over personal information including access, correction, deletion and data mobility. This would increase individuals’ ability to obtain, correct, delete and transfer their personal information and would require organizations to respond to a data subject’s request under a structured compliance process.

Bill C-36 also strengthens enforcement and oversight through the creation of a new federal regulator, the Digital Safety and Data Protection Commission of Canada (“DSDPCC”). If Bill C-36 is passed and enters into force, the DSDPCC will have the power to issue binding orders and significant administrative monetary penalties for non-compliance with the PPCDA and PIPEDA that may not exceed the greater of $10 million and 3% of an organization’s gross annual global revenue. This would materially increase Canadian businesses’ financial exposure for non-compliance with applicable privacy legislation.

From an organizational perspective, Bill C-36 introduces more formalized governance requirements on Canadian businesses, including mandatory privacy management programs with documented policies, safeguards, complaint processes and assigned compliance responsibility. This would require Canadian businesses to implement and maintain auditable privacy governance structures capable of demonstrating compliance.

Bill C-36 further increases an organization’s transparency obligations with respect to the use of artificial intelligence systems. If passed, legislation enacted by Bill C-36 will require organizations to disclose the use of automated decision-making systems and provide mechanisms for individuals to obtain explanations and challenge decisions. This would require organizations to update internal processes to increase transparency and provide a mechanism for individuals to challenge decisions made by automated decision-making systems, potentially affecting system design and documentation practices.

Finally, Bill C-36 designates children’s personal information as sensitive by default, subjecting it to enhanced protection and stricter handling requirements. If passed, Bill C-36 would require organizations to apply heightened safeguards including stricter control on collection, use, retention and disclosure of minors’ data.

Taken together, these changes would shift Canada’s private sector privacy framework toward a more prescriptive and enforcement driven regime, requiring organizations to implement more formal, demonstrable and operationalized compliance structures.

Legislative context

Bill C-36 introduces long-awaited Canadian privacy reform. Bill C-36’s predecessors, Bill C-11 and Bill C-27, were introduced in 2020 and 2022, respectively.

Under the previously proposed Bill C-27, organizations responsible for “high impact” artificial intelligence systems would have been required to assess and mitigate risks of harm or biased output, maintain documentation on mitigation measures, publish plain language disclosures regarding system use, and provide notification where systems were likely to cause material harm.

Bill C-36, by contrast, departs from that approach by removing the proposed artificial intelligence-specific framework and focusing exclusively on privacy modernization. It strengthens enforcement mechanisms through a new regulator with expanded order-making and penalty powers, while expressly recognizing privacy as a fundamental right and shifting toward a more prescriptive compliance regime.  

Key takeaway

If enacted, Bill C-36 would materially increase compliance obligations and regulatory requirements of private sector organizations operating in Canada. Organizations will be subject to heightened expectations regarding data governance, transparency and accountability, particularly in relation to automated decision-making systems, cross border data transfers and the handling of children’s personal information. In addition, regulated entities will be expected to maintain formal privacy management programs and demonstrate documented compliance frameworks capable of withstanding increased regulatory scrutiny.

More broadly, Bill C-36 signals a transition in Canadian privacy law towards a rights-based framework supported by stronger enforcement mechanisms, with significant operational and compliance implications for organizations handling personal information. 

We note that Bill C-36 is only at first reading and needs to proceed through the applicable reading stages, Senate process and receive Royal Assent before becoming law. In the interim, Canadian businesses should stay informed and prepare for compliance.

For more information about how to prepare for and comply with Canada’s newly proposed privacy legislation, please contact Roland Hung or Laura Crimi of Torkin Manes’ Technology and Privacy & Data Management Groups.

The authors would like to acknowledge Torkin Manes’ Summer Student Zeph Hlapcic for his invaluable contribution in drafting this bulletin.