{"id":52601,"date":"2026-06-30T16:50:11","date_gmt":"2026-06-30T20:50:11","guid":{"rendered":"https:\/\/www.millerthomson.com\/?p=52601"},"modified":"2026-06-30T16:50:14","modified_gmt":"2026-06-30T20:50:14","slug":"bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance","status":"publish","type":"post","link":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/","title":{"rendered":"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Introduced on June 15, 2026, Bill C-36<a href=\"#_ftn1\" id=\"_ftnref1\">[1]<\/a> would enact the <a href=\"https:\/\/www.parl.ca\/DocumentViewer\/en\/45-1\/bill\/C-36\/first-reading\"><em>Protecting Privacy and Consumer Data Act<\/em><\/a> (&#8220;<strong>PPCDA<\/strong>&#8220;). PPCDA is the federal government&#8217;s latest attempt to modernize Canadian privacy law for today&#8217;s &#8220;data-driven economy.&#8221; It is the third major effort to reform the <em>Personal Information Protection and Electronic Documents Act <\/em>(\u201c<strong>PIPEDA<\/strong>\u201d), following the unsuccessful Bill C-11 in 2020 and Bill C-27 in 2022. Unlike Bill C-27, which combined privacy reform with a comprehensive AI regulatory framework, Bill C-36 is primarily focused on modernizing Canada&#8217;s privacy laws. Several of its provisions, including those relating to automated decision systems, will have important implications for organizations deploying AI technologies.<\/p>\n\n\n\n<p>Like its predecessors, Bill C-36 seeks to move beyond broad privacy principles and establish a more detailed framework governing how organizations collect, use, disclose, and manage personal information.<\/p>\n\n\n\n<p>Bill C-36 was introduced as part of a broader federal push to regulate Canada\u2019s digital environment, alongside Bill C-34 and Bill C-22. Bill C-34 would enact the <em>Safe Social Media Act<\/em>, establishing new safety requirements for social media services and AI chatbot services, and would create the Digital Safety Commission of Canada to administer the new framework. Bill C-22 (An Act respecting lawful access) would amend various statutes, including the Criminal Code and the Canadian Security Intelligence Service Act, to establish a modernized lawful access regime for electronic information. See our recent article for a <a href=\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/a-framework-without-a-rulebook-canadas-new-ai-strategy-and-its-implications-for-businesses\/\">broader view of Canada\u2019s new AI and data strategy<\/a>.<\/p>\n\n\n\n<p>While the structural changes are significant, including the introduction of a new regulator, the Digital Safety and Data Protection Commission of Canada (the \u201c<strong>Commission<\/strong>\u201d), Bill C-36\u2019s real impact lies in a move toward a more formal, documented, and regulated model of privacy compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why this matters<\/h2>\n\n\n\n<p>Under PIPEDA, organizations have had the flexibility to interpret broad privacy principles and apply them through internal policies and judgement. Bill C-36 reduces this flexibility by imposing explicit statutory requirements around governance, documentation, and transparency.<\/p>\n\n\n\n<p>In practice, compliance becomes more structured, prescribed, and visible. Organizations would need to comply with the rules and demonstrate through documentation how that compliance is achieved. This represents a meaningful change in expectations for organizations that have relied on PIPEDA\u2019s flexible approach.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Flexible principles to clear rules<\/h2>\n\n\n\n<p>Bill C-36 is specific about privacy governance. Organizations would be required to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>assign responsibility for compliance;<\/li>\n\n\n\n<li>maintain a formal privacy management program which outlines the protection of personal information, how requests for information and complaints are dealt with, the training and information given to staff, and the development of materials to explain the organization\u2019s policies and procedures;<\/li>\n\n\n\n<li>ensure by contract or otherwise that service providers provide equivalent levels of protection to any personal information transferred to them; and<\/li>\n\n\n\n<li>show their program to regulators upon request.<\/li>\n<\/ul>\n\n\n\n<p>Bill C-36 also places clearer limits on how personal information can be used. Organizations will be required to provide clear plain language explanations in obtaining consent, and express consent will be the default unless implied consent is deemed appropriate in the particular circumstance.<\/p>\n\n\n\n<p>While these concepts are not entirely new, Bill C-36 requires organizations to document how decisions are reached. Informal judgement alone may no longer be sufficient.<\/p>\n\n\n\n<p>The same approach carries through the rest of the bill, which requires:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>recording new personal information uses;<\/li>\n\n\n\n<li>conducting privacy impact assessments for disclosure or transfer of information outside of Canada or when implementing the legitimate interest exception (as described below); and<\/li>\n\n\n\n<li>reporting and tracking breaches, as is required under PIPEDA.<\/li>\n<\/ul>\n\n\n\n<p>These requirements reinforce that documentation and process are now central to compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Expanding scope \u2013 data practices and emerging technologies<\/h2>\n\n\n\n<p>Bill C-36 introduces several concepts that reflect the realities of the modern data environment and expands the regulatory framework to address evolving data practices and technologies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Anonymized vs. de-identified information<\/h3>\n\n\n\n<p> Similar to Bill C-27, PPCDA distinguishes between anonymized and de-identified information. While anonymized information falls outside the scope of the legislation, de-identified information remains personal information which is subject to PPCDA and is accompanied by specific rules governing its use, including restrictions on re-identification.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Automated decision systems<\/h3>\n\n\n\n<p>Organizations using such systems would be subject to PPCDA&#8217;s transparency and access requirements, including an obligation, on request, to provide individuals with an explanation of automated decisions that have significant effects on them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Children\u2019s personal information<\/h3>\n\n\n\n<p>Children&#8217;s personal information is expressly recognized as particularly sensitive and deserving of enhanced protection.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Individual rights<\/h3>\n\n\n\n<p>Individuals would have the right to request deletion of personal information in certain circumstances, exercise access and correction rights, and request the transfer of their personal information to another organization, with data mobility requirements to be further prescribed by regulation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service providers<\/h3>\n\n\n\n<p>Bill C-36 draws a clearer distinction between organizations that control personal information and service providers that process information on their behalf. PPCDA expressly defines a &#8220;service provider&#8221; and permits organizations to transfer personal information to service providers without obtaining additional consent from individuals. While organizations remain accountable for personal information transferred to service providers, service providers are expressly recognized as separate actors under the legislation and are subject to direct statutory obligations, including obligations relating to security safeguards and breach reporting.<\/p>\n\n\n\n<p>Importantly, if a service provider collects, uses, or discloses transferred personal information for a purpose other than that for which the information was transferred, it becomes fully subject to the obligations imposed under PPCDA in respect of that information.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Legitimate interest and processing without consent<\/h2>\n\n\n\n<p>While consent remains the default, Bill C-36 recognizes that organizations may sometimes use personal information without consent. This reflects a shift towards a model that accommodates certain routine business activities without relying exclusively on consent.<\/p>\n\n\n\n<p>The most important of these is the \u201clegitimate interest,\u201d exception. Organizations would be able to collect, use and disclose personal information without consent if their legitimate interest outweighs any reasonably foreseeable adverse effect on the individual.<\/p>\n\n\n\n<p>This flexibility comes with conditions. Prior to using information without consent, organizations need to ensure that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a reasonable person would expect the collection, use or disclosure; and<\/li>\n\n\n\n<li>the personal information is not collected, used or disclosed for the purpose of influencing the individual\u2019s behaviour or decisions.<\/li>\n<\/ul>\n\n\n\n<p>Critically, organizations relying on this exception would be expected to conduct a privacy impact assessment, identify and mitigate risks, document their analysis for relying on the exception, and include in their publicly available privacy policies a description of any activities undertaken in reliance on the legitimate interest exception.<\/p>\n\n\n\n<p>In practice, decisions made in reliance on this exception would need to be carefully analyzed and documented.<\/p>\n\n\n\n<p>Bill C-36 also creates further consent exceptions for specified business activities, as well as for matters such as fraud prevention, research, employment relationships, business transactions and emergencies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Commission\u2019s new enforcement powers and private right of action<\/h2>\n\n\n\n<p>The Commission will be responsible for administering and enforcing the PPCDA and the Digital Safety Act, with a designated Privacy and Consumer Data Commissioner appointed to lead enforcement. This represents a significant restructuring of Canada\u2019s privacy enforcement model, as responsibility for private-sector privacy oversight is removed from the Office of the Privacy Commissioner of Canada (the \u201c<strong>OPC<\/strong>\u201d) and transferred to the new Commission. The OPC would continue to exist but would shift its focus primarily to public-sector privacy.<\/p>\n\n\n\n<p>This institutional redesign reflects Parliament\u2019s intention to integrate privacy enforcement with broader digital safety regulation under a single regulatory authority. It also marks a departure from Canada\u2019s traditional PIPEDA model, under which the OPC functioned as an independent agent of Parliament responsible for investigating private-sector privacy complaints and issuing non-binding findings.<\/p>\n\n\n\n<p>The proposed enforcement provisions under PPCDA represent a material increase in businesses\u2019 liability exposure for non-compliance. The Commission will have the power to issue binding compliance orders and impose significant administrative monetary penalties:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Up to $10 million or 3% of global revenue, <\/strong>whichever is greater, for standard non-compliance; and<\/li>\n\n\n\n<li><strong>Up to $25 million or 5% of global revenue, <\/strong>whichever is greater, for the most serious offences.<\/li>\n<\/ul>\n\n\n\n<p>PPCDA also introduces a private right of action, allowing individuals to seek damages directly in court for breaches of the Act. This is a material departure from PIPEDA, under which individuals could not sue organizations directly for privacy breaches.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What organizations should do now<\/h2>\n\n\n\n<p>Although Bill C-36 has a long legislative journey ahead, its direction is clear. A formal and regulated privacy regime may be coming. Organizations should consider preparing by reviewing the following.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Governance structures<\/h3>\n\n\n\n<p>Assess who within the organization is responsible for privacy compliance, oversight, and reporting. Roles for internal accountability should be clearly established.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Privacy management programs<\/h3>\n\n\n\n<p>Review whether current privacy management programs meet Bill C-36\u2019s requirements, including assigned accountability, documented processes, compliant handling procedures, and regulator-ready records.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Consent language<\/h3>\n\n\n\n<p>Review whether existing consent wording is clear, plain-language, and appropriate for the personal information being collected, used, or disclosed. Organizations should also consider whether any activities may require a documented legitimate interest analysis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service provider contracts<\/h3>\n\n\n\n<p>Review existing agreements with service providers to ensure that protection obligations are in place and are clearly limited in how they use personal information.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Automated decision systems<\/h3>\n\n\n\n<p>Organizations using AI or algorithmic tools should identify where significant automated decisions are being made and assess whether they can provide meaningful explanations if required.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cross-border transfers, breach response and transparency<\/h3>\n\n\n\n<p>Organizations should also assess operational areas likely to be scrutinized, such as cross-border data transfers, breach response, and transparency around data use.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Bill C-36 moves beyond the flexible regime under PIPEDA to a more structured and enforceable system. While some flexibility is preserved, it\u2019s conditional on organizations having clearly and justifiably documented their decisions.<\/p>\n\n\n\n<p>The key takeaway is simple: under Bill C-36, compliance will need to be demonstrated, not merely asserted. Organizations should focus not only on whether their practices are defensible, but also on whether those practices are documented, structured, and capable of withstanding regulatory scrutiny.<\/p>\n\n\n\n<p>Miller Thomson will continue to monitor Bill C-36 as it moves through Parliament and will continue to provide updates on any significant changes. If you have any questions about the proposed legislation or would like assistance in reviewing your current privacy practices, please contact a <a href=\"https:\/\/www.millerthomson.com\/en\/expertise\/technology-ip-and-privacy\/privacy-and-cybersecurity\/\">lawyer from our Privacy and Cybersecurity team<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><a href=\"#_ftnref1\" id=\"_ftn1\">[1]<\/a> Bill C-36 : An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (\u201c<strong>Bill C-36<\/strong>\u201d)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Introduced on June 15, 2026, Bill C-36[1] would enact the Protecting Privacy and Consumer Data Act (&#8220;PPCDA&#8220;). PPCDA is the federal government&#8217;s latest attempt to modernize Canadian privacy law for today&#8217;s &#8220;data-driven economy.&#8221; It is the third major effort to reform the Personal Information Protection and Electronic Documents Act (\u201cPIPEDA\u201d), following the unsuccessful Bill [&hellip;]<\/p>\n","protected":false},"author":122,"featured_media":30996,"parent":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[557],"insight-format":[416,470],"class_list":["post-52601","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology-ip-and-privacy"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance | Miller Thomson<\/title>\n<meta name=\"description\" content=\"Bill C-36 would replace PIPEDA with a stricter, documented privacy compliance regime, and penalties up to $25M or 5% of global revenue. Here&#039;s what organizations need to start doing now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance | Miller Thomson\" \/>\n<meta property=\"og:description\" content=\"Bill C-36 would replace PIPEDA with a stricter, documented privacy compliance regime, and penalties up to $25M or 5% of global revenue. Here&#039;s what organizations need to start doing now.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/\" \/>\n<meta property=\"og:site_name\" content=\"Miller Thomson\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/MillerThomsonLaw\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-30T20:50:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-30T20:50:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_mobile.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1098\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Sebastian Vives\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@millerthomson\" \/>\n<meta name=\"twitter:site\" content=\"@millerthomson\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sebastian Vives\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/\"},\"author\":{\"name\":\"Sebastian Vives\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#\\\/schema\\\/person\\\/be05481ca4ee617c24b33993ade4c881\"},\"headline\":\"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance\",\"datePublished\":\"2026-06-30T20:50:11+00:00\",\"dateModified\":\"2026-06-30T20:50:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/\"},\"wordCount\":1721,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.millerthomson.com\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/insights_technology_mobile.jpg\",\"articleSection\":[\"Technology, IP and Privacy\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#respond\"]}]},{\"@type\":[\"WebPage\",\"ItemPage\"],\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/\",\"url\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/\",\"name\":\"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance | Miller Thomson\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.millerthomson.com\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/insights_technology_mobile.jpg\",\"datePublished\":\"2026-06-30T20:50:11+00:00\",\"dateModified\":\"2026-06-30T20:50:14+00:00\",\"description\":\"Bill C-36 would replace PIPEDA with a stricter, documented privacy compliance regime, and penalties up to $25M or 5% of global revenue. Here's what organizations need to start doing now.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.millerthomson.com\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/insights_technology_mobile.jpg\",\"contentUrl\":\"https:\\\/\\\/www.millerthomson.com\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/insights_technology_mobile.jpg\",\"width\":1920,\"height\":1098,\"caption\":\"woman scrolling through social media on a smart phone holding a mug of coffee\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/insights\\\/technology-ip-and-privacy\\\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/\",\"name\":\"Miller Thomson\",\"description\":\"National law firm providing business law expertise and litigation and disputes services for businesses across Canada since 1957.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#organization\",\"name\":\"Miller Thomson\",\"url\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.millerthomson.com\\\/wp-content\\\/uploads\\\/2024\\\/10\\\/miller-thomson.svg\",\"contentUrl\":\"https:\\\/\\\/www.millerthomson.com\\\/wp-content\\\/uploads\\\/2024\\\/10\\\/miller-thomson.svg\",\"width\":380,\"height\":50,\"caption\":\"Miller Thomson\"},\"image\":{\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/MillerThomsonLaw\\\/\",\"https:\\\/\\\/x.com\\\/millerthomson\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/miller-thomson-llp\\\/\",\"https:\\\/\\\/www.youtube.com\\\/@millerthomson\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.millerthomson.com\\\/en\\\/#\\\/schema\\\/person\\\/be05481ca4ee617c24b33993ade4c881\",\"name\":\"Sebastian Vives\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9c50194d3d05da0f277cc6ce0c163d04a4150aed35e0d008c0cba4866c37cc31?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9c50194d3d05da0f277cc6ce0c163d04a4150aed35e0d008c0cba4866c37cc31?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9c50194d3d05da0f277cc6ce0c163d04a4150aed35e0d008c0cba4866c37cc31?s=96&d=mm&r=g\",\"caption\":\"Sebastian Vives\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance | Miller Thomson","description":"Bill C-36 would replace PIPEDA with a stricter, documented privacy compliance regime, and penalties up to $25M or 5% of global revenue. Here's what organizations need to start doing now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/","og_locale":"en_US","og_type":"article","og_title":"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance | Miller Thomson","og_description":"Bill C-36 would replace PIPEDA with a stricter, documented privacy compliance regime, and penalties up to $25M or 5% of global revenue. Here's what organizations need to start doing now.","og_url":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/","og_site_name":"Miller Thomson","article_publisher":"https:\/\/www.facebook.com\/MillerThomsonLaw\/","article_published_time":"2026-06-30T20:50:11+00:00","article_modified_time":"2026-06-30T20:50:14+00:00","og_image":[{"width":1920,"height":1098,"url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_mobile.jpg","type":"image\/jpeg"}],"author":"Sebastian Vives","twitter_card":"summary_large_image","twitter_creator":"@millerthomson","twitter_site":"@millerthomson","twitter_misc":{"Written by":"Sebastian Vives","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#article","isPartOf":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/"},"author":{"name":"Sebastian Vives","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/be05481ca4ee617c24b33993ade4c881"},"headline":"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance","datePublished":"2026-06-30T20:50:11+00:00","dateModified":"2026-06-30T20:50:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/"},"wordCount":1721,"commentCount":0,"publisher":{"@id":"https:\/\/www.millerthomson.com\/en\/#organization"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_mobile.jpg","articleSection":["Technology, IP and Privacy"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#respond"]}]},{"@type":["WebPage","ItemPage"],"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/","url":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/","name":"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance | Miller Thomson","isPartOf":{"@id":"https:\/\/www.millerthomson.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#primaryimage"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_mobile.jpg","datePublished":"2026-06-30T20:50:11+00:00","dateModified":"2026-06-30T20:50:14+00:00","description":"Bill C-36 would replace PIPEDA with a stricter, documented privacy compliance regime, and penalties up to $25M or 5% of global revenue. Here's what organizations need to start doing now.","breadcrumb":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#primaryimage","url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_mobile.jpg","contentUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_mobile.jpg","width":1920,"height":1098,"caption":"woman scrolling through social media on a smart phone holding a mug of coffee"},{"@type":"BreadcrumbList","@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/bill-c-36s-pipeda-to-ppcda-shift-the-rise-of-documented-privacy-compliance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.millerthomson.com\/en\/"},{"@type":"ListItem","position":2,"name":"Bill C-36\u2019s PIPEDA to PPCDA Shift: The rise of documented privacy compliance"}]},{"@type":"WebSite","@id":"https:\/\/www.millerthomson.com\/en\/#website","url":"https:\/\/www.millerthomson.com\/en\/","name":"Miller Thomson","description":"National law firm providing business law expertise and litigation and disputes services for businesses across Canada since 1957.","publisher":{"@id":"https:\/\/www.millerthomson.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.millerthomson.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.millerthomson.com\/en\/#organization","name":"Miller Thomson","url":"https:\/\/www.millerthomson.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg","contentUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg","width":380,"height":50,"caption":"Miller Thomson"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/MillerThomsonLaw\/","https:\/\/x.com\/millerthomson","https:\/\/www.linkedin.com\/company\/miller-thomson-llp\/","https:\/\/www.youtube.com\/@millerthomson"]},{"@type":"Person","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/be05481ca4ee617c24b33993ade4c881","name":"Sebastian Vives","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9c50194d3d05da0f277cc6ce0c163d04a4150aed35e0d008c0cba4866c37cc31?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/9c50194d3d05da0f277cc6ce0c163d04a4150aed35e0d008c0cba4866c37cc31?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9c50194d3d05da0f277cc6ce0c163d04a4150aed35e0d008c0cba4866c37cc31?s=96&d=mm&r=g","caption":"Sebastian Vives"}}]}},"_links":{"self":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/52601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/users\/122"}],"replies":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/comments?post=52601"}],"version-history":[{"count":5,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/52601\/revisions"}],"predecessor-version":[{"id":52652,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/52601\/revisions\/52652"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/media\/30996"}],"wp:attachment":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/media?parent=52601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/categories?post=52601"},{"taxonomy":"insight-format","embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/insight-format?post=52601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}