Bill C-36: A Third Attempt at Federal Private-Sector Privacy Reform

Overview

On June 15, 2026, Evan Solomon, the Minister of Artificial Intelligence and Digital Innovation, introduced Bill C-36,^[1] which enacts the Protecting Privacy and Consumer Data Act (PPCDA), marking the third attempt in six years to reform Canada’s federal private-sector privacy law after two previous bills died on the Order Paper. Like 2020’s Bill C-11 and 2022’s Bill C-27 before it, Bill C-36 replaces Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) with new legislation (the PPCDA) that codifies PIPEDA’s principles, is still consent-based, grants the regulator order-making powers and the ability to impose significant administrative monetary penalties, and includes an expanded private right of action.

The introduction of Bill C-36 was widely anticipated following the release of the national AI strategy on June 4, 2026, that specifically referred to the need to modernize privacy law (coupled with conspicuous silence on AI legislation). At a high level, the PPCDA is a codification of the existing principles in PIPEDA and longstanding guidance from the Office of the Privacy Commissioner, while also introducing select concepts drawn from the European Union’s General Data Protection Regulation (GDPR) and Québec’s Law 25. Those concepts include broader exceptions to consent to address some of the limitations of a consent-based model, for example regarding the training of artificial intelligence models using publicly accessible information.

While the PPCDA shares the structure and much of the content of the Consumer Privacy Protection Act (CPPA) from Bill C-27, two differences stand out between Bill C-36 and the former Bill C-27:

• No stand-alone AI regulation. Privacy reform in Bill C-27 was bundled with AI regulation, the Artificial Intelligence and Data Act (AIDA). Bill C-36 does not include stand-alone AI regulation and is solely focused on privacy, which the government telegraphed in its AI strategy. AIDA, and tying privacy reform to a new AI law in Bill C-27, were widely criticized and slowed that bill’s progress through Parliament.
• New regulator and oversight framework. Bill C-36 transfers private-sector privacy oversight from the Privacy Commissioner and the Office of the Privacy Commissioner to the Digital Safety and Data Protection Commission of Canada. Rather than retaining the Office of the Privacy Commissioner’s authority over private-sector privacy and creating a separate Personal Information and Data Protection Tribunal (as Bill C-27 proposed), Bill C-36 consolidates administration, investigation, and adjudication within the Digital Safety and Data Protection Commission of Canada (Commission), a body that does not yet exist but that would be created by Bill C-34, the online harms bill currently before Parliament. Bill C-36 amends Bill C-34’s framework to rename that body from the ‘Digital Safety Commission of Canada’ to the ‘Digital Safety and Data Protection Commission of Canada’ and then confers on the Commission its privacy mandate. The Privacy and Consumer Data Commissioner (Commissioner) is a member of the Commission and would address complaints and undertake investigations, with decisions of the Commissioner subject to review by the Commission on application of the concerned organization or complainant.

This bulletin provides an overview of Bill C-36 and highlights the most significant similarities and differences between Bill C-36, Bill C-27, and PIPEDA. As with any bill at first-reading, Bill C-36 is likely to evolve as it proceeds through Parliament, and significant elements of the PPCDA, including data mobility frameworks, cross-border transfer requirements, and certification criteria, are left to future regulations. Further, the PPCDA requires the Commission to develop guidance on enforcement and dispute resolution, and to make rules of procedure for its proceedings.

Over the coming weeks, the Fasken privacy team will address in more detail the most significant aspects of the PPCDA and the new oversight framework proposed in Bill C-36.

What Carries Over from Bill C-27 and PIPEDA

The PPCDA retains the structure and most of the substance of the CPPA and includes many of the amendments to the CPPA adopted by the INDU Committee during its review of Bill C-27. Also, most of the consumer-focused elements highlighted by the government when introducing Bill C-36 were also present in Bill C-27’s CPPA:

• The PPCDA remains consent based. Consent remains the primary basis for the collection, use and disclosure of personal information, with the same additional requirements for valid consent introduced in the CPPA (which largely reflect OPC guidance on meaningful consent and more recent court decisions), namely plain-language notice, identification of the specific types of personal information collected, and identification of third parties (or types of third parties) to which information may be disclosed.
• Appropriate purposes and limiting collection. As with the CPPA, an organization may only collect, use or disclose personal information in a manner and for purposes a reasonable person would consider appropriate, applying the same list of factors as the CPPA. This condition applies regardless of whether an organization has obtained consent or if consent is not required.
• Expanded exceptions to consent. The PPCDA includes the same broader exceptions to consent for the collection and use of personal information for “business activities,” with the same enumerated activities (provision of a requested product or service, security, safety) and the same limitations (a reasonable person would expect it, and it is not for the purpose of influencing the individual’s behaviour or decisions), as well as a collection and use exception based on legitimate interests. The business-activities exception, as in the CPPA, is limited to collection and use and does not extend to disclosure. The PPCDA does, however, allow disclosures of personal information on the basis of legitimate interest.
• De-identification and anonymization. The PPCDA keeps the CPPA’s core distinction between de-identification and anonymization, where de-identified information remains personal information and is subject to the Act, while anonymized information falls outside of it. The definition of “de-identify” is materially unchanged, and the prohibition on re-identification is retained. As under the CPPA, de-identified information is carved out of certain individual rights and related obligations, including access, amendment, disposal and data mobility, although the PPCDA states the exclusion in each operative provision rather than through a single interpretation clause as the CPPA did. The standard for anonymization, however, has been relaxed (discussed below), reflecting amendments introduced during committee consideration of the CPPA.
• Breach reporting and notification. Maintains the familiar “real risk of significant harm” standard, record-keeping of breaches, and service-provider notice obligations.
• Exception to consent for services providers and service provider obligations. Like the CPPA, the PPCDA addresses service providers, allowing transfer of personal information between organizations and service providers without knowledge or consent of individuals and expressly imposing obligations on service providers to safeguard personal information and notify controlling organizations of breaches.
• Data mobility. Retained as a framework and regulations model from Bill C-27.
• Access, correction, and disposal rights. As under the CPPA, individuals have the right to access their personal information, to request that inaccurate, incomplete or out-of-date information be amended, to withdraw consent (subject to legal or contractual restrictions), and to request disposal of their personal information, in each case subject to the same categories of exception found in the CPPA.
• Private right of action. The PPCDA retains a private right of action, contingent on a finding of contravention by the Commissioner, the Commission, or a court (or a conviction), with a two-year limitation period.
• Same maximum for penalties and offences. Administrative monetary penalties remain capped at the greater of $10 million or 3% of gross global revenue, and the most serious offences remain punishable by fines of up to the greater of $25 million or 5% of gross global revenue.
• Privacy as a right. Like Bill C-27, the PPCDA’s purpose clause expressly recognizes the right to privacy, though the PPCDA privacy it is described as a “fundamental” right, consistent with the amendment to the CPPA adopted in committee review.

Differences from Bill C-27 and the CPPA in Bill C-27

1. No stand-alone AI legislation

As noted above, neither Bill C-36 nor the government’s online harms bill, Bill C-34, introduces AI-specific legislation. Consistent with its AI strategy, the government’s approach to AI regulation is divided between the chatbot provisions of Bill C-34’s Digital Safety Act and the privacy regime and automated-decision provisions of the PPCDA.

2. A new regulator: the Digital Safety and Data Protection Commission

Bill C-27 would have preserved the Privacy Commissioner of Canada (with expanded powers) and created a separate Personal Information and Data Protection Tribunal to impose penalties and hear appeals. Bill C-36 takes a markedly different approach. It transfers private-sector privacy oversight from the Privacy Commissioner and their office to the Commission, the body that Bill C-34 would establish as the Digital Safety Commission and that Bill C-36 would rename and expand to carry the privacy mandate. The framework in Bill C-36 divides the privacy oversight functions among three actors:

• the Commission itself, with five full-time members, which makes orders and imposes penalties through review proceedings;
• the Privacy and Consumer Data Commissioner, a designated member who investigates complaints, issues notices of contravention, enters into compliance agreements, and conducts audits; and
• the Privacy and Consumer Data Division, composed of the Commissioner and at least one other member of the Commission, which handles dispute resolution and approves codes of practice and certification programs.

Enforcement steps under the PPCDA begin with a Commissioner-issued notice of contravention (which includes any proposed penalty and order), which is subject to review by the Commission on application by the organization or the complainant, with appeals of Commission decisions to the Federal Court. The new oversight framework is also removed from Parliamentary oversight, as the members of the Commission are appointed by the Governor in Council and the Commission reports through the responsible Minister.

3. “Personal information” expressly includes inferred information

PIPEDA and the CPPA both defined personal information as “information about an identifiable individual.” The PPCDA expands the definition to include “information that is inferred about the individual,” an addition adopted during committee consideration of the CPPA. This would likely capture the results of analysis of personal information, for example through the processing of personal information by AI.

4. Children and a statutory definition of “sensitive” information

Bill C-36 adds more detail in how the PPCDA addresses children’s information and other sensitive information:

• it defines a “child” as an individual under 18;
• it introduces a definition of “sensitive” information, enumerating categories such as a child’s personal information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and health information, biometric information capable of uniquely identifying an individual, and information about sexual orientation;
• it makes the “best interests of children” a mandatory factor that the Commission, the Commissioner, and the Division must weigh in exercising their powers; and
• it strengthens children’s disposal rights by removing the “accuracy or integrity of service” basis on which an organization could otherwise refuse a disposal request.

The above again incorporates some of the amendments adopted during committee consideration of the CPPA.

5. Legitimate interest extended to disclosure, and privacy impact assessment obligations

Bill C-27’s “legitimate interest” exception to consent applied only to the collection and use of personal information. The PPCDA extends it to the collection, use, or disclosure, broadening the exception’s reach. At the same time, it adds procedural requirements on the use of the exception. Before relying on the legitimate interest exception, an organization must identify and describe the interest and carry out a privacy impact assessment (the CPPA referred more loosely to an “assessment”) identifying and mitigating reasonably foreseeable adverse effects, with the assessment available to the Commission on request.

6. A new mandatory obligation for cross-border transfers

Similar to Québec’s Law 25, which requires a privacy impact assessment before personal information is communicated outside Québec, the PPCDA introduces a requirement to conduct a privacy impact assessment before disclosing or transferring personal information outside Canada. Organizations must also implement measures to mitigate the identified risks prior to any such disclosure or transfer, through for example contractual protections, or adherence to approved codes of practice or certifications.

7. Revised threshold for automated-decision rights and a new right to human review

Both the CPPA and the PPCDA give individuals a right to an explanation of automated decisions. The PPCDA makes two important changes. First, it revises the threshold for implicated decisions from decisions with a “significant impact” to predictions, recommendations, or decisions with a “legal or similarly significant effect,” mirroring the language of the GDPR. Second, and similar to Québec’s Law 25, the PPCDA gives individuals the right to make written representations to a human employee who is able to review the automated decision.

8. A more practical risk-based standard for anonymization

The CPPA in Bill C-27 contained a strict definition of anonymization, defining it as irreversibly and permanently modifying personal information, in accordance with generally accepted best practices, “to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.” That formulation was widely criticized as an absolute and impractical standard, as any conceivable means of re-identification would cast doubt on whether personal information was truly anonymized.

The PPCDA adopts a less absolute test, based on amendments adopted during committee consideration of Bill C-27 that were derived from the definition of anonymization in Québec’s Law 25. The PPCDA defines anonymization as irreversibly and permanently modifying personal information “to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means.” The PPCDA removes the reference to “generally accepted best practices” and, more significantly, replaces the absolute “no individual can be identified” threshold with a risk-based “no reasonably foreseeable risk in the circumstances” standard. This risk-based formulation is consistent with the standard in Québec’s Law 25. Because anonymized information falls entirely outside the PPCDA, the risk-based standard may give organizations a more workable option to rely on anonymization for analytics, research, and AI development, though the “irreversibly and permanently” wording means the standard remains demanding.

9. Factors to guide the regulator when exercising their authority under the PPCDA

Bill C-36 directs the Commission, the Commissioner, and the Division to take into account, in exercising their authority under the PPCDA, a list of factors including:

• the purpose of the PPCDA;
• the size and revenue of organizations;
• the volume and sensitivity of the information at issue;
• the best interests of children;
• Canada’s international trade obligations;
• the importance of supporting economic growth, competition and innovation; and,
• any other matter of general public interest.

These factors, more explicit than anything in past privacy reform efforts, direct the regulator to weigh proportionality, the circumstances of the organization, and the impact on competition and innovation alongside the protection of privacy and personal information.

Practical Takeaways for Organizations

Although Bill C-36 is only at first reading, organizations can begin preparing now, particularly given how much carries over from Bill C-27:

• Identify inferred and derived information. With personal information now expressly capturing inferred information, organizations should revisit profiling, analytics, and other similar practices to consider whether additional information would be captured by the PPCDA’s definition of personal information.
• Reassess anonymization strategies. The shift to a risk-based anonymization standard may make anonymization a more practical tool to remove information from the application of the PPCDA. Organizations should revisit which data can be anonymized and document the residual-risk analysis.
• Establish a cross-border transfer assessment process. The new privacy impact assessment and mitigation requirements for transfers outside Canada will require process, documentation, and contractual updates regarding service providers outside Canada.
• Consider the utility of the expanded exceptions to consent. PIPEDA’s consent-based regime with limited exceptions presents practical challenges in many common scenarios, for example with AI, cybersecurity, fraud detection, payments, and similar services. The broadened business activities and legitimate interest exceptions may help address the practical limitations of PIPEDA’s strict consent-based regime. Where organizations foresee relying on the legitimate interest exception, they should begin preparing for the privacy impact assessment and mitigation requirements needed to do so.
• Refresh children’s and sensitive-data handling. The new definitions of “child” and “sensitive” personal information, and the requirement for the regulator to consider the best interests of children, warrant a review of any processing involving the personal information of young people or information that falls within the categories listed as sensitive in the PPCDA (though in the majority of cases, that information would already be considered sensitive for the purposes of PIPEDA).
• Prepare for automated-decision transparency and human review. Where organizations use automated decision-making, they should consider the operational capacity to provide explanations and to route reviews to an appropriate employee.
• Watch the regulations and the new regulator. Many details, such as data mobility frameworks, transfer-mitigation measures, and certification criteria, will be set by regulations, and the consolidation of private-sector privacy oversight into the Commission is a development worth following. The PPCDA also requires the Commission, in consultation with the Minister and stakeholders, to develop and make available guidance on its approach to enforcement and dispute resolution, including: the decision to initiate a complaint; the handling of complaints (including whether to initiate or discontinue an investigation and the conduct of proceedings); dispute resolution mechanisms; compliance agreements; proposed orders and compliance orders; the administrative monetary penalty scheme; and audits.

The Fasken privacy team will provide a more in-depth look at each of these issues in the coming weeks.

Status and Next Steps

Bill C-36 received first reading on June 15, 2026, and will now proceed to second reading and committee study, where amendments are likely. Its coming into force is tied by order in council to establishing the Commission, which itself depends on the passage of Bill C-34. By removing stand-alone AI legislation and advancing privacy reform on its own, the government has addressed one of the main challenges that Bill C-27 faced, but the decision to house federal private-sector privacy regulation within a new commission will generate its own debate. Our Privacy and Cybersecurity team will continue to monitor Bill C-36 and provide updates as it advances through Parliament.