Skip Navigation

Blakes Data Governor: Summer 2026

July 16, 2026

Welcome to the Summer 2026 issue of Blakes Data Governor, published by the Blakes Privacy & Data Protection group. Blakes Data Governor provides actionable insights and practical overviews of recent developments impacting privacy, cybersecurity, access to information and artificial intelligence (AI) governance law in Canada.

In This Issue

Scanning the Horizon

Modernizing Your Canadian Privacy Program

Many privacy professionals and policy wonks across the country rejoiced on June 15, 2026, when the federal government tabled Bill C-36, the Protecting Privacy and Consumer Data Act. However, others might not be holding their breath. Bill C-36 represents the third attempt to reform federal private-sector privacy law since 2020 and, even with the government’s majority position, committee debate in both the House of Commons and the Senate means that realistically it could be years before any new privacy law is in force. 

Even if the bill takes months or years to pass, there is no reason for Canadian businesses to postpone privacy program modernization. Every prior reform effort and recent reports of findings published by the Privacy Commissioner of Canada signal a clear regulatory direction: clear accountability, more transparency, meaningful individual rights and increased regulator scrutiny. Coupled with the recent growth in privacy class actions focusing on privacy practices, rather than solely privacy breaches, businesses can look to Bill C-36 for guidance to improve their compliance posture to meet the next generation of Canadian privacy problems.

Here are our top tips for modernizing your privacy program. 

Understand Your Data

Many organizations still do not have a complete understanding of:

  • What personal information they collect
  • Why they collect it
  • Where it is stored
  • Who has access to it
  • Which third parties receive it

A current data inventory is foundational to complying with modern privacy requirements, supporting access and correction requests, managing consent, and responding to privacy incidents. It is also crucial to understanding the impact of new AI tools and systems. Like other modern international privacy laws, Bill C-36 places greater emphasis on transparency and responsible data handling, making data mapping a critical first step.

Review Consent Practices

Organizations should evaluate whether their consent mechanisms are clear and understandable, purpose-specific, easy to withdraw, and supported by plain-language privacy notices.

The proposed legislation continues to rely heavily on meaningful consent while increasing expectations around transparency and explanation. Businesses that simplify privacy notices and consent flows now will likely face fewer compliance challenges later.

Organizations that offer online services should evaluate whether special protections are appropriate for minors, including age-assurance practices, consent processes and default privacy settings.

Review Cross-Border Practices

Currently, Canadian private-sector privacy laws generally allow personal information to be transferred to service providers outside of Canada. However, organizations that are subject to Canadian federal and/or provincial private-sector privacy laws must meet certain requirements when transferring personal information to a service provider outside of Canada, such as implementing a written agreement, being transparent about the cross-border processing and completing a privacy impact assessment in some cases. Bill C-36 proposes more explicit rules regarding service providers and international data transfers, including privacy impact assessment requirements in some circumstances.

Organizations should regularly review vendor contracts, cross-border transfer arrangements, security obligations, audit rights and data retention requirements. Even where law or policy allows for personal information to be transferred outside of Canada, an entity — particularly an entity that acts as a service provider — may be subject to contractual restrictions that require personal information to remain in Canada. Entities should review their contractual commitments before transferring or accessing personal information outside of Canada. Further, strong vendor governance practices reduce both compliance risk and cybersecurity exposure.

Prepare for Expanded Individual Rights

Many businesses are currently facing a significant rise in requests from individuals to access their personal information or withdraw their consent. Bill C-36 proposes enhanced individual rights that go beyond those currently available under the Personal Information Protection and Electronic Documents Act (PIPEDA). To ease the burden of these new pressures, organizations should prepare updated policies and procedures to:

  • Respond to access and correction requests with defined response timelines
  • Allow individuals to exercise data portability rights to transfer their personal information to another organization
  • Provide transparency around automated decision-making systems
  • Dispose of personal information upon request in prescribed circumstances

Implement AI Use Transparency

A significant aspect of the proposed reforms is increased scrutiny of AI-driven processing and automated decision systems. Bill C-36 contemplates greater transparency around automated decisions and recognizes privacy risks associated with inferred personal information.

Organizations using AI should ensure they have clear documentation of AI use, assess the privacy impacts, monitor how AI uses personal information and maintain records of algorithmic decision-making. These controls are rapidly becoming expected by consumer regulators globally, regardless of Canada’s legislative timeline.

Insights Radar

The Safe Social Media Act

Building on past attempts to establish a comprehensive regulatory framework to address online harms in Canada, the federal government has tabled Bill C-34, the Safe Social Media Act. If passed, this new legislation would establish a federal digital safety regime by enacting the Digital Safety Act and create the Digital Safety Commission of Canada through the Digital Safety Commission of Canada Act. In our Blakes Bulletin: Canada’s Digital Safety Act: A Revamped Framework for Online Safety, we discuss the potentially onerous new duties proposed for yet-to-be-named operators of social media, chatbot and certain online services.

The Protecting Privacy and Consumer Data Act

For the third time since 2020, the federal government has tabled an attempt at reforming PIPEDA: Bill C-36. In our Blakes Bulletin: Third Time’s the Charm? Canada’s Latest Approach to Reform the Federal Private-Sector Privacy Framework, we highlight the bill’s most significant departures from the PIPEDA framework, including the proposed brand-new regulator for the private sector.

The Federal AI for All Strategy

Innovation, Science and Economic Development Canada recently published Canada’s National Artificial Intelligence Strategy: AI for All (Strategy). The Strategy outlines a coordinated approach towards AI integration in Canada while addressing key risks associated with AI adoption, including trust and safety and the lack of Canadian control over existing AI infrastructure. Our Blakes Bulletin: Canada’s AI for All Strategy: Key Takeaways for Businesses unpacks the Strategy’s six pillars, which are designed to foster trust, provide opportunity for and empower Canadians, and safeguard Canadian sovereignty.

Canadian Cybersecurity Trends Study – Sixth Edition

This focused and data-driven report provides a concise view of the evolving cyber risk landscape, highlighting the most significant trends and offering practical insights to support informed decision-making and cybersecurity preparedness. For example, this edition highlights the rise of data exfiltration and related privacy breaches, moving away from the previously dominant trend of encryption events. Learn more by downloading the Canadian Cybersecurity Trends Study – Sixth Edition.

When AI Hallucinates the Law: Arbitral Award Overturned

On April 22, 2026, in Association des ressources intermédiaires d’hébergement du Québec (ARIHQ) c. Santé Québec – Centre intégré universitaire de santé et de services sociaux du Centre-Sud-de-l'Île-de-Montréal, the Superior Court of Quebec (the Court) overturned an arbitral award due to the arbitrator’s excessive reliance on AI. According to the Court, the arbitrator based his reasoning on non-existent sources “hallucinated” by AI and thus “delegated part of his decision-making power,” thereby relinquishing his authority. The decision, which is one of the first public decisions on the subject of AI in Canada, reinforces key safeguards governing the exercise of arbitral powers and raises important questions about the use of AI in legal decision-making. Learn all about the decision in our Blakes Bulletin: When AI Hallucinates the Law: Arbitral Award Overturned.

Regulatory Watch

Key Legislative Developments

New Decisions and Guidance

Contact Us

Please do not hesitate to contact your usual Blakes contact or any member of the Blakes Privacy & Data Protection group. To receive Privacy group Insights directly to your inbox, including Blakes Data Governor, sign up here

More insights