7 minute read

Canada is trying again to replace PIPEDA.

On June 15, 2026, the federal government tabled Bill C-36, the Protecting Privacy and Consumer Data Act. If passed, it would replace the privacy parts of PIPEDA, the federal private-sector privacy law that has been in place for more than two decades. PIPEDA’s electronic-documents rules would continue under a renamed Electronic Documents Act.

The headline is the penalty: administrative penalties can reach the greater of $10 million or 3% of global annual revenue for contraventions from one investigation. Serious offences can reach the greater of $25 million or 5% of global annual revenue.

Those numbers will get board attention. They should. But the fine is not the whole story.

C-36 asks a simpler question: does your organization actually know what it does with personal information?

That question matters even more if the organization is building, buying, or deploying AI.

The catch: this may take years

Bill C-36 is not just a privacy bill. It also moves private-sector privacy enforcement away from the Office of the Privacy Commissioner and into a new Digital Safety and Data Protection Commission of Canada.

That matters.

Michael Geist has argued that this may be the bill’s biggest weakness: the government is adding new rights and stronger penalties, then tying them to a new regulator that could take years to stand up. A privacy bill administered by the existing Privacy Commissioner could move faster. A new commission, new regulations, new staffing, and a new operating model could push real enforcement closer to 2030 or later.

So there are two timelines.

The political timeline says reform is here. The operational timeline says organizations may still have a long runway before the switch is fully thrown.

Do not confuse a long runway with a reason to wait.

What changes

Bill C-36 would give federal privacy law sharper teeth.

The new Commission could audit organizations, investigate complaints, demand documents, issue binding orders, and impose or recommend penalties. Individuals would also get a conditional private right of action after a finding of contravention. That creates litigation risk, not just regulator risk.

The bill would add or strengthen duties around:

  • plain-language transparency
  • deletion and data mobility
  • children’s information
  • sensitive information
  • de-identified and anonymized information
  • automated decision-making
  • data minimization
  • privacy impact assessments
  • service providers and cross-border processing

Some parts are still uncertain. Important details will come through regulations or future regulator guidance. That includes pieces of data portability, consent exceptions, cross-border transfers, and how some new tests will work in practice.

One rule cuts through much of the bill: an organization may collect, use, or disclose personal information only for purposes a reasonable person would consider appropriate in the circumstances. That test applies whether or not consent is required.

The hard part is not writing a new privacy policy. The hard part is answering basic questions with evidence.

Where is the personal information? Why do we have it? Is it necessary for the recorded purpose? Who receives it? How long do we keep it? Which systems use it to make or support decisions? Can we delete it when we must?

Many organizations cannot answer those questions quickly today.

Why AI makes this harder

AI systems need data. They also create new data.

Bill C-36 treats inferred information as personal information. That matters. A system may not collect a sensitive fact directly. It may predict it, score it, group someone, or infer it from other signals.

That covers a lot of modern analytics and AI work: fraud scores, risk ratings, recommendations, personalization, worker analytics, customer segmentation, and automated eligibility decisions.

C-36 also adds transparency duties for automated decisions with legal or similarly significant effects. Organizations may need to explain the information used, its source, and the main factors behind the decision.

That is difficult if the organization has no inventory of automated systems, no model owner, and no record of what data the system uses.

“We bought it from a vendor” will not be a privacy program.

Consent does not disappear.

The bill keeps express consent as the default and implied consent as the exception. It also creates or clarifies exceptions for some business activities and legitimate interests.

Those exceptions are useful, but they are not blank cheques. The legitimate-interest exception requires a privacy impact assessment, a balancing of adverse effects, reasonable expectations, and reasonable measures to reduce or eliminate harm. It also cannot be used when the purpose is to influence the individual’s behaviour or decisions.

The practical question is simple: for each use of personal information, can you point to the authority for using it?

If the answer is “the privacy policy says we can,” that may not be enough.

Service providers are part of the problem

C-36 also makes vendor chains harder to ignore.

Service providers are explicitly in scope. Cross-border transfers may require assessments and mitigation measures. Organizations will need to understand not only their own systems, but also where vendors process information and what protections follow the data.

That is where many privacy programs get thin.

A contract says the vendor will protect the data. But where does the data go? Which subcontractors touch it? Is it used for support, analytics, training, fraud detection, or product improvement? Can it be deleted? Can the organization prove what happened after a breach?

These are not legal decorations. They are operating questions.

Missed risk: portability and deletion

Data mobility is easy to underestimate because it depends on future regulations and data mobility frameworks. That makes it feel distant.

It is still worth planning for now. Once mobility rules apply, organizations may have to disclose personal information collected from an individual to another organization chosen by that individual. Deletion also becomes more operationally important because the bill uses the broader concept of disposal: permanent deletion or anonymization.

If customer data is scattered across product databases, support tools, spreadsheets, marketing platforms, and vendor systems, these rights will be hard to honour cleanly.

Business opportunities

C-36 also creates useful work for organizations that move early.

A few examples:

  • Privacy inventory and data-map projects: the foundation for almost every other requirement.
  • Cross-border transfer assessments: section 57 requires a privacy impact assessment before personal information is disclosed or transferred outside Canada, plus mitigation measures.
  • Legitimate-interest assessments: useful for security, product operations, and some analytics, but only with documented analysis.
  • Automated-decision inventories: needed for explainability and AI governance.
  • Child-data audits: children’s information is sensitive by definition.
  • Vendor-chain reviews: service providers must provide equivalent protection, and they must notify the controlling organization of breaches.
  • De-identification and anonymization programs: useful for research, development, analytics, and AI, but only if re-identification risk is managed.
  • Codes of practice and certification programs: industry groups may be able to shape practical standards and use approved programs as evidence of compliance.

None of this requires waiting for final regulations.

Start with the inventory

The first useful step is a personal information inventory.

Not a slide deck. Not a policy statement. An inventory that connects personal information to:

  • systems
  • purposes
  • legal authority or consent basis
  • vendors and subcontractors
  • countries where it is processed
  • retention periods
  • safeguards
  • automated decisions
  • deletion requirements

This is boring work. It is also the work everything else depends on.

A good inventory helps you find children’s data, answer deletion requests, identify cross-border transfers, scope privacy impact assessments, and test claims about de-identification or anonymization.

If the inventory is weak, the rest of the program is mostly guesswork.

Questions leaders should ask now

Boards and executives should ask:

  1. Where do we store personal information?
  2. Which vendors and subcontractors process it?
  3. Which data leaves Canada?
  4. Which systems use it for AI or automated decisions?
  5. Which data is about children?
  6. Which data is sensitive?
  7. Can we delete personal information without breaking a business process?
  8. Can we explain the legal authority for each major use?
  9. Can we produce our privacy management program if the Commission asks?
  10. Are privacy impact assessments part of delivery, or paperwork after the fact?
  11. Do we know which data uses rely on consent, business activities, legitimate interests, or another exception?
  12. Have we tested whether any planned use would fail the reasonable-person appropriateness test?

If these questions are uncomfortable, start there.

What to do next

Do not wait for the final enforcement date.

Pick one business unit, product, or data-heavy process. Build the inventory. Map the vendors. Identify the sensitive data. List the automated decisions. Check the retention rules. Find the cross-border transfers. Record the legal authority for each major use.

Then repeat.

That work will help with C-36. It will also make AI projects less fragile. A team that knows its data can make better decisions about what to automate, what to explain, what to delete, and what not to build.

The organizations that start now will have a working map. The ones that wait will have policy language and a scramble.

Further reading

Need this translated for your organization? PrivaSecTech offers confidential briefings, policy reviews, workshops, and privacy/security advisory for teams that need to decide what to do next.

Request a confidential briefing

You may also enjoy

Password Managers For 2024

1 minute read

The top two questions we’ve received for the last 15 years are which browser should I use for privacy?, but more common is “Which password manager should I u...

Web Browsing With Privacy

1 minute read

I’ve been updating this blog for well over a decade on privacy centric browser options, so I thought I’d start with my recommendations as we dive into 2024. ...

Sharing Links

less than 1 minute read

When sharing links, there are a handful of issues that may occur. The original news site or blog may have taken the article the down, or they may in the futu...