Introduction

Introduced on June 15, 2026, Bill C-36[1] would enact the Protecting Privacy and Consumer Data Act (“PPCDA“). PPCDA is the federal government’s latest attempt to modernize Canadian privacy law for today’s “data-driven economy.” It is the third major effort to reform the Personal Information Protection and Electronic Documents Act (“PIPEDA”), following the unsuccessful Bill C-11 in 2020 and Bill C-27 in 2022. Unlike Bill C-27, which combined privacy reform with a comprehensive AI regulatory framework, Bill C-36 is primarily focused on modernizing Canada’s privacy laws. Several of its provisions, including those relating to automated decision systems, will have important implications for organizations deploying AI technologies.

Like its predecessors, Bill C-36 seeks to move beyond broad privacy principles and establish a more detailed framework governing how organizations collect, use, disclose, and manage personal information.

Bill C-36 was introduced as part of a broader federal push to regulate Canada’s digital environment, alongside Bill C-34 and Bill C-22. Bill C-34 would enact the Safe Social Media Act, establishing new safety requirements for social media services and AI chatbot services, and would create the Digital Safety Commission of Canada to administer the new framework. Bill C-22 (An Act respecting lawful access) would amend various statutes, including the Criminal Code and the Canadian Security Intelligence Service Act, to establish a modernized lawful access regime for electronic information. See our recent article for a broader view of Canada’s new AI and data strategy.

While the structural changes are significant, including the introduction of a new regulator, the Digital Safety and Data Protection Commission of Canada (the “Commission”), Bill C-36’s real impact lies in a move toward a more formal, documented, and regulated model of privacy compliance.

Why this matters

Under PIPEDA, organizations have had the flexibility to interpret broad privacy principles and apply them through internal policies and judgement. Bill C-36 reduces this flexibility by imposing explicit statutory requirements around governance, documentation, and transparency.

In practice, compliance becomes more structured, prescribed, and visible. Organizations would need to comply with the rules and demonstrate through documentation how that compliance is achieved. This represents a meaningful change in expectations for organizations that have relied on PIPEDA’s flexible approach.

Flexible principles to clear rules

Bill C-36 is specific about privacy governance. Organizations would be required to:

  • assign responsibility for compliance;
  • maintain a formal privacy management program which outlines the protection of personal information, how requests for information and complaints are dealt with, the training and information given to staff, and the development of materials to explain the organization’s policies and procedures;
  • ensure by contract or otherwise that service providers provide equivalent levels of protection to any personal information transferred to them; and
  • show their program to regulators upon request.

Bill C-36 also places clearer limits on how personal information can be used. Organizations will be required to provide clear plain language explanations in obtaining consent, and express consent will be the default unless implied consent is deemed appropriate in the particular circumstance.

While these concepts are not entirely new, Bill C-36 requires organizations to document how decisions are reached. Informal judgement alone may no longer be sufficient.

The same approach carries through the rest of the bill, which requires:

  • recording new personal information uses;
  • conducting privacy impact assessments for disclosure or transfer of information outside of Canada or when implementing the legitimate interest exception (as described below); and
  • reporting and tracking breaches, as is required under PIPEDA.

These requirements reinforce that documentation and process are now central to compliance.

Expanding scope – data practices and emerging technologies

Bill C-36 introduces several concepts that reflect the realities of the modern data environment and expands the regulatory framework to address evolving data practices and technologies.

Anonymized vs. de-identified information

Similar to Bill C-27, PPCDA distinguishes between anonymized and de-identified information. While anonymized information falls outside the scope of the legislation, de-identified information remains personal information which is subject to PPCDA and is accompanied by specific rules governing its use, including restrictions on re-identification.

Automated decision systems

Organizations using such systems would be subject to PPCDA’s transparency and access requirements, including an obligation, on request, to provide individuals with an explanation of automated decisions that have significant effects on them.

Children’s personal information

Children’s personal information is expressly recognized as particularly sensitive and deserving of enhanced protection.

Individual rights

Individuals would have the right to request deletion of personal information in certain circumstances, exercise access and correction rights, and request the transfer of their personal information to another organization, with data mobility requirements to be further prescribed by regulation.

Service providers

Bill C-36 draws a clearer distinction between organizations that control personal information and service providers that process information on their behalf. PPCDA expressly defines a “service provider” and permits organizations to transfer personal information to service providers without obtaining additional consent from individuals. While organizations remain accountable for personal information transferred to service providers, service providers are expressly recognized as separate actors under the legislation and are subject to direct statutory obligations, including obligations relating to security safeguards and breach reporting.

Importantly, if a service provider collects, uses, or discloses transferred personal information for a purpose other than that for which the information was transferred, it becomes fully subject to the obligations imposed under PPCDA in respect of that information.

Legitimate interest and processing without consent

While consent remains the default, Bill C-36 recognizes that organizations may sometimes use personal information without consent. This reflects a shift towards a model that accommodates certain routine business activities without relying exclusively on consent.

The most important of these is the “legitimate interest,” exception. Organizations would be able to collect, use and disclose personal information without consent if their legitimate interest outweighs any reasonably foreseeable adverse effect on the individual.

This flexibility comes with conditions. Prior to using information without consent, organizations need to ensure that:

  • a reasonable person would expect the collection, use or disclosure; and
  • the personal information is not collected, used or disclosed for the purpose of influencing the individual’s behaviour or decisions.

Critically, organizations relying on this exception would be expected to conduct a privacy impact assessment, identify and mitigate risks, document their analysis for relying on the exception, and include in their publicly available privacy policies a description of any activities undertaken in reliance on the legitimate interest exception.

In practice, decisions made in reliance on this exception would need to be carefully analyzed and documented.

Bill C-36 also creates further consent exceptions for specified business activities, as well as for matters such as fraud prevention, research, employment relationships, business transactions and emergencies.

The Commission’s new enforcement powers and private right of action

The Commission will be responsible for administering and enforcing the PPCDA and the Digital Safety Act, with a designated Privacy and Consumer Data Commissioner appointed to lead enforcement. This represents a significant restructuring of Canada’s privacy enforcement model, as responsibility for private-sector privacy oversight is removed from the Office of the Privacy Commissioner of Canada (the “OPC”) and transferred to the new Commission. The OPC would continue to exist but would shift its focus primarily to public-sector privacy.

This institutional redesign reflects Parliament’s intention to integrate privacy enforcement with broader digital safety regulation under a single regulatory authority. It also marks a departure from Canada’s traditional PIPEDA model, under which the OPC functioned as an independent agent of Parliament responsible for investigating private-sector privacy complaints and issuing non-binding findings.

The proposed enforcement provisions under PPCDA represent a material increase in businesses’ liability exposure for non-compliance. The Commission will have the power to issue binding compliance orders and impose significant administrative monetary penalties:

  • Up to $10 million or 3% of global revenue, whichever is greater, for standard non-compliance; and
  • Up to $25 million or 5% of global revenue, whichever is greater, for the most serious offences.

PPCDA also introduces a private right of action, allowing individuals to seek damages directly in court for breaches of the Act. This is a material departure from PIPEDA, under which individuals could not sue organizations directly for privacy breaches.

What organizations should do now

Although Bill C-36 has a long legislative journey ahead, its direction is clear. A formal and regulated privacy regime may be coming. Organizations should consider preparing by reviewing the following.

Governance structures

Assess who within the organization is responsible for privacy compliance, oversight, and reporting. Roles for internal accountability should be clearly established.

Privacy management programs

Review whether current privacy management programs meet Bill C-36’s requirements, including assigned accountability, documented processes, compliant handling procedures, and regulator-ready records.

Consent language

Review whether existing consent wording is clear, plain-language, and appropriate for the personal information being collected, used, or disclosed. Organizations should also consider whether any activities may require a documented legitimate interest analysis.

Service provider contracts

Review existing agreements with service providers to ensure that protection obligations are in place and are clearly limited in how they use personal information.

Automated decision systems

Organizations using AI or algorithmic tools should identify where significant automated decisions are being made and assess whether they can provide meaningful explanations if required.

Cross-border transfers, breach response and transparency

Organizations should also assess operational areas likely to be scrutinized, such as cross-border data transfers, breach response, and transparency around data use.

Conclusion

Bill C-36 moves beyond the flexible regime under PIPEDA to a more structured and enforceable system. While some flexibility is preserved, it’s conditional on organizations having clearly and justifiably documented their decisions.

The key takeaway is simple: under Bill C-36, compliance will need to be demonstrated, not merely asserted. Organizations should focus not only on whether their practices are defensible, but also on whether those practices are documented, structured, and capable of withstanding regulatory scrutiny.

Miller Thomson will continue to monitor Bill C-36 as it moves through Parliament and will continue to provide updates on any significant changes. If you have any questions about the proposed legislation or would like assistance in reviewing your current privacy practices, please contact a lawyer from our Privacy and Cybersecurity team.


[1] Bill C-36 : An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (“Bill C-36”)