The federal government unveiled long-awaited reforms to Canada’s privacy laws today, handing authority previously held by Canada’s privacy commissioner to an as-of-yet-unestablished Canadian Digital Safety Commission (CDSC).
The reforms were announced Monday afternoon in a technical briefing that came on the heels of Bill C-36. The bill, dubbed the Protecting Privacy and Consumer Data Act (PPCDA), was introduced to the House of Commons by Canada’s minister of innovation and technology, Evan Solomon. Bill C-36 would replace Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which was first introduced in 1998.
The new bill will still need to pass first, second, and third reading, and receive royal assent, before becoming law.
RELATED: Elon Musk’s X continues to violate Canadian privacy law with Grok deepfakes, watchdog finds
In Monday’s technical briefing hosted by Innovation, Science and Economic Development Canada (ISED), senior government officials said that PPCDA represented the most significant changes to Canada’s privacy laws in 25 years and will update the legislation for the digital era.
“It sets clear guardrails for protecting Canadians and their personal information amid rapid technological change,” a senior official said.
Perhaps the biggest difference between the PPCDA and PIPEDA is the way privacy is overseen. Under PIPEDA, Canada’s privacy commissioner, Philipe Dufresne, is responsible for overseeing privacy in the private sector. Despite holding that authority, Dufresne has complained that his office lacked the teeth to meaningfully compel private companies to conform with Canadian law, citing an inability to levy fines or issue orders.
New commission could issue binding orders, fines
Rather than enhance the powers of the Office of the Privacy Commissioner (OPC), the PPCDA narrows the mandate of the OPC, granting authority to oversee private-sector privacy to a new regulator to be established under the CDSC. The creation of that commission, which has not yet been established, was announced last week during the government’s unveiling of the Safe Social Media Act. The new commission could take up to 18 months to be established after the bill receives royal assent. Officials said there would be a phased, transitional period where the privacy commissioner, and PIPEDA, would remain in effect during that time.
According to officials, a privacy and data commissioner will be appointed to the CDSC, with that body overseeing both the PPCDA and the Safe Social Media Act. That new regulator would be able to issue binding orders and monetary penalties of up to $10 million or three percent of global revenue.
Michael Geist, the University of Ottawa’s Canada Research Chair in internet and e-commerce law, posted on X following the announcement that “there is no precedent in Canada for this kind of digital super-regulator,” adding that other countries tend to take the approach of creating an independent body solely focused on data protection rather than such a broad mandate.
The OPC will retain its mandate related to privacy and government use of data.
Legislation governs surveillance pricing, data collection
The rest of PPCDA is broken down across four key themes: enhancing protection for individuals, fostering responsible innovation, protecting Canada’s digital and data sovereignty, and strengthening enforcement and oversight, the latter of which primarily deals with the establishment of the new regulator.
Under the first theme, Bill C-36 makes a number of changes, including formally recognizing the right to privacy as a fundamental right of Canadians, and would also establish “a higher standard” for the handling of data belonging to children. The bill would also require organizations to obtain informed consent in order to collect data, and provide plain language explanations of how that data is handled. The legislation would also enshrine the right to deletion, allowing individuals to request that companies delete their personal information. That right would extend to the removal of deepfake images or videos on commercial platforms like social media.
Under the first theme of the bill, legislation would also clarify rules on what “appropriate purposes” are for collecting, using, and disclosing user data.
“[Bill C-36] would clarify the rules on appropriate purposes for the collection, use, and disclosure of personal information in order to prevent unethical or unfair outcomes, including surveillance pricing,” officials said
RELATED: Canada’s AI strategy promises to protect citizens. Critics say it still lacks teeth
The bill does not outright ban surveillance pricing—a practice where companies use personal data to charge different consumers different rates—with the federal government stating that there could be potential benefits, such as the ability for retailers to offer targeted discounts. Instead, it cited the regulator’s ability to define what counts as appropriate use as a way to balance out the negative and positive impacts of surveillance pricing.
Vass Bednar, a senior fellow with the Canadian Shield Institute, told BetaKit in an email that she questions how proposed limits on the negative impacts of surveillance pricing would actually work.
“The bill appears to be trying to preserve discount-based pricing and implies that it would only be inappropriate to use personal information to charge somebody a higher individualized price,” Bednar said. “That might sound good in the abstract, but it needs to be tested against real business models. The details about how this will work in practice are all still pretty hazy.”
Under the second theme, fostering responsible innovation, officials said the government would only support data use for innovation if privacy risks were explicitly addressed and mitigated. Officials added that Bill C-36 would provide guidance around the use of privacy enhancing tech like deidentification and anonymization. It also cited those tools as potential workarounds for the personal data being used in LLM training datasets.
Under PPCDA, AI companies would not be able to be exempt from consent requirements simply by citing legitimate interest—a legal basis in privacy law that allows companies to balance their commercial interests with personal right to privacy claims, essentially allowing organizations to collect data without explicit consent. Instead, companies looking to circumvent consent requirements would be required to provide a privacy impact assessment, identify and address those harmful impacts, prior to collecting any data.
But Bednar said disentangling personal data, including through a right to deletion, could be easier said than done.
“The proposed right to deletion also appears quite narrow, with a strong focus on deepfake abuse. Deletion is far more complicated in an AI-driven economy. Once personal information has been used it can be nearly impossible to disentangle that data from the model, its outputs, or the decisions it helps produce,” she said.
The third theme deals with digital data sovereignty and would require organizations to take security measures to protect Canadian data, including considering privacy implications around global service providers. It would require those organizations to assess and mitigate privacy risks before sending any personal data outside of Canada’s borders.
Feature photo courtesy Jason Hafso via Unsplash.
UPDATE (06/16/2026): This story has been updated to include commentary from the Canadian Shield Institute.