Implications of Canada’s proposed privacy overhaul Bill C-36 for organizations

This article prepared with the assistance of summer student Zoë Goetz.

On June 15, 2026, the Government of Canada introduced Bill C-36, which would enact the Protecting Privacy and Consumer Data Act (PPCDA), amend the Personal Information Protection and Electronic Documents Act (PIPEDA) and make related amendments to other Federal legislation. If passed, Bill C-36 would represent the most significant overhaul of Canada’s private-sector privacy framework in over 25 years. This follows previous attempts with Bill C-11 in 2020 and Bill C-27 in 2022, both of which died on the Order Paper when Parliament was dissolved.

Bill C-36 responds to the rapid evolution of digital and data-driven technologies, including the increased use of artificial intelligence, and aims to modernize Canada’s approach to protecting personal information while supporting responsible innovation. Organizations that collect, use or disclose personal information in the course of commercial activities should consider if Bill C-36 might apply to them and what it may mean for their operations.

Important note: Bill C-36 received first reading on June 15, 2026, and must still pass through the full legislative process before becoming law. The provisions discussed below reflect the Bill as introduced and may be subject to amendment.

Who Bill C-36 applies to

The PPCDA would apply to any organization that collects, uses or discloses personal information in the course of commercial activities, as well as to the personal information of employees of Federally regulated organizations. Alberta, British Columbia and Quebec each have their own private-sector privacy legislation – the Personal Information Protection Acts (PIPA) in Alberta and British Columbia and the Act respecting the protection of personal information in the private sector in Quebec – that are currently deemed substantially similar to PIPEDA and overseen by their respective provincial privacy commissioners. Unless these provincial laws are similarly deemed substantially similar under the PPCDA, the Federal legislation would prevail.

Key provisions and how they differ from PIPEDA

The PPCDA builds on PIPEDA’s foundational principles but introduces expanded obligations and modernized concepts.

Key changes include:

• A new oversight model – The Bill would establish the Digital Safety and Data Protection Commission of Canada, led by a designated Privacy and Consumer Data Commissioner, replacing the current oversight model under the Office of the Privacy Commissioner.
• Specific requirements for valid consent – Express consent would be required unless implied consent is appropriate, taking into account the individual’s reasonable expectations and the sensitivity of the personal information. Consent must now meet specific requirements set out in Bill C-36.
• New consent exception for “business activities” and “legitimate interests” – Similar to the EU’s General Data Protection Regulation, Bill C-36 would allow organizations to collect, use or disclose personal information without consent for reasonable business activities or where they have a legitimate interest, provided the interest outweighs any potential adverse effects on the individual. Organizations relying on this exception would be required to document their assessment and make it available on request.
• Higher standards for sensitive information including children’s information – Bill C-36 defines “sensitive” personal information to include children’s personal information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or health information, biometric information and sexual orientation. Specific requirements may be prescribed for sensitive information.
• Transparency around automated decision systems – Organizations would be required to provide increased transparency about their use of automated decision systems, including AI-powered systems.
• Right to deletion and mobility – Individuals would be able to request the deletion or disposal of their personal information or request that it be transferred to another organization, in certain circumstances (rights not expressly provided under PIPEDA).
• Oversight of de-identified information – Bill C-36 distinguishes between “de-identified” information (where identifying information has been removed but re-identification remains possible) and “anonymized” information (which has been irreversibly modified so that no individual can be identified). While anonymized information falls outside the scope of Bill C-36, de-identified information would remain subject to the PPCDA’s protections. Organizations may use personal information without consent to de-identify or anonymize it but must follow generally accepted best practices when doing so.
• Cross-border transfer assessments – Organizations would be required to assess and mitigate privacy risks with privacy impact assessments before sending personal information outside Canada, reflecting growing concerns about data sovereignty.

Updated obligations for organizations

Bill C-36 would impose several expanded compliance requirements on organizations:

• Privacy management programs – Organizations must implement and maintain a privacy management program. The Commission would have authority to review these programs and recommend corrective measures.
• Proportionate safeguards – Organizations must protect personal information through physical, organizational and technological safeguards proportionate to the sensitivity of the information, but now also considering the quantity, distribution, format and storage method of information.
• Service provider oversight – When transferring personal information to a service provider, organizations must ensure, by contract or otherwise, that the service provider provides an equivalent level of protection.
• Public-facing transparency – Organizations must maintain publicly available information describing how they use personal information and how they apply consent exceptions, including activities based on legitimate interest.
• Legitimate interest documentation – As noted above, where organizations rely on legitimate interest as a basis for collecting, using or disclosing personal information, they would need to document their assessments and make this information available on request.

Enforcement mechanisms and penalties

Perhaps the most significant departure from PIPEDA is the enforcement regime. Under the current framework, the Privacy Commissioner of Canada can investigate complaints and make recommendations but lacks the authority to issue binding orders or impose financial penalties directly. Bill C-36 would change this substantially:

• Binding orders – The Commission would have the power to issue binding orders; a marked shift from the current recommendation-only model.
• Administrative monetary penalties – Penalties of up to $10 million or 3% of global revenue (whichever is greater) for contraventions.
• Fines for serious offences – For the most serious offences, fines of up to $25 million or 5% of global revenue (whichever is greater), approaching the scale of penalties under the EU’s General Data Protection Regulation.
• Private right of action – Bill C-36 would create a private right of action, allowing individuals to seek damages in court for contraventions of the PPCDA. This marks a significant departure from PIPEDA, under which individuals generally could not pursue civil claims directly.

Preparing for the PPCDA: Steps your organization can take now

While Bill C-36 must still proceed through the legislative process, organizations would be well-served to begin preparing now. Many of the steps below represent good privacy practices regardless of whether Bill C-36 is enacted in its current form:

• Map your data – Conduct an inventory of personal information your organization collects, uses, discloses and stores. This includes identifying any sensitive personal information as defined in Bill C-36.
• Review consent mechanisms – Assess whether your current consent language and practices would meet the PPCDA’s heightened requirements.
• Strengthen your privacy management program – Ensure you have a documented program that could withstand Commission review, including policies, procedures and training.
• Audit vendor and service-provider arrangements – Review arrangements to confirm that you have appropriate agreements in place that require equivalent levels of protection for personal information transferred to third parties.
• Assess cross-border data transfers – Identify where personal information flows outside Canada and begin developing risk-assessment and mitigation frameworks.
• Prepare for access, deletion and mobility requests – Develop or update processes to respond to individual requests for access to, deletion of or transfer of personal information.
• Review automated decision systems – Document your organization’s use of AI and automated decision-making systems and assess what transparency measures may be needed.
• Update privacy notices – Review and update publicly available information about your privacy practices to confirm it is current and sufficiently detailed to meet the PPCDA’s transparency requirements.

Key takeaways

We will continue to monitor Bill C-36 as it moves through the legislative process and will provide updates on any significant amendments or developments. In the meantime, if you have questions about how the proposed legislation may affect your organization, or if you would like assistance assessing your current privacy compliance posture, please contact a member of our Privacy and Data Protection group. Early preparation is the best way to ensure your organization is ready to meet its obligations when the PPCDA comes into force.

MLT Aikins is also proud to offer practical fixed-priced tools to help you secure your data, manage risks and assess your privacy compliance programs and related requirements through our Privacy and Cybersecurity Academy.

Share