Welcome to the Summer 2026 issue of Blakes Data Governor, published by the Blakes Privacy & Data Protection group. Blakes Data Governor provides actionable insights and practical overviews of recent developments impacting privacy, cybersecurity, access to information and artificial intelligence (AI) governance law in Canada.
In This Issue
- Tips for Modernizing Your Canadian Privacy Program. With the introduction of Bill C-36 and the enactment of new federal cybersecurity legislation, we provide insights for Canadian businesses on what is actually changing and what updates organizations should consider implementing into their privacy program.
- The Safe Social Media Act. Learn how social media, chatbots and other online services may be regulated to protect children and restrict harmful digital content.
- The Protecting Privacy and Consumer Data Act. Everything you need to know about the proposed changes to the federal private-sector privacy framework proposed by Bill C-36.
- The Federal AI for All Strategy. Understand how the federal government is prioritizing investment in AI and Canadian-controlled and operated digital infrastructure.
- Blakes Cybersecurity Trends Study – Sixth Edition. Drawing on our frontline experience advising organizations on complex cybersecurity matters across Canada, the sixth edition of our study discusses the threats reshaping the risk landscape.
- When AI Hallucinates the Law: Arbitral Award Overturned. What you need to know about the Superior Court of Quebec’s decision involving an arbitrator’s excessive reliance on AI.
Scanning the Horizon
Modernizing Your Canadian Privacy Program
Many privacy professionals and policy wonks across the country rejoiced on June 15, 2026, when the federal government tabled Bill C-36, the Protecting Privacy and Consumer Data Act. However, others might not be holding their breath. Bill C-36 represents the third attempt to reform federal private-sector privacy law since 2020 and, even with the government’s majority position, committee debate in both the House of Commons and the Senate means that realistically it could be years before any new privacy law is in force.
Even if the bill takes months or years to pass, there is no reason for Canadian businesses to postpone privacy program modernization. Every prior reform effort and recent reports of findings published by the Privacy Commissioner of Canada signal a clear regulatory direction: clear accountability, more transparency, meaningful individual rights and increased regulator scrutiny. Coupled with the recent growth in privacy class actions focusing on privacy practices, rather than solely privacy breaches, businesses can look to Bill C-36 for guidance to improve their compliance posture to meet the next generation of Canadian privacy problems.
Here are our top tips for modernizing your privacy program.
Understand Your Data
Many organizations still do not have a complete understanding of:
- What personal information they collect
- Why they collect it
- Where it is stored
- Who has access to it
- Which third parties receive it
A current data inventory is foundational to complying with modern privacy requirements, supporting access and correction requests, managing consent, and responding to privacy incidents. It is also crucial to understanding the impact of new AI tools and systems. Like other modern international privacy laws, Bill C-36 places greater emphasis on transparency and responsible data handling, making data mapping a critical first step.
Review Consent Practices
Organizations should evaluate whether their consent mechanisms are clear and understandable, purpose-specific, easy to withdraw, and supported by plain-language privacy notices.
The proposed legislation continues to rely heavily on meaningful consent while increasing expectations around transparency and explanation. Businesses that simplify privacy notices and consent flows now will likely face fewer compliance challenges later.
Organizations that offer online services should evaluate whether special protections are appropriate for minors, including age-assurance practices, consent processes and default privacy settings.
Review Cross-Border Practices
Currently, Canadian private-sector privacy laws generally allow personal information to be transferred to service providers outside of Canada. However, organizations that are subject to Canadian federal and/or provincial private-sector privacy laws must meet certain requirements when transferring personal information to a service provider outside of Canada, such as implementing a written agreement, being transparent about the cross-border processing and completing a privacy impact assessment in some cases. Bill C-36 proposes more explicit rules regarding service providers and international data transfers, including privacy impact assessment requirements in some circumstances.
Organizations should regularly review vendor contracts, cross-border transfer arrangements, security obligations, audit rights and data retention requirements. Even where law or policy allows for personal information to be transferred outside of Canada, an entity — particularly an entity that acts as a service provider — may be subject to contractual restrictions that require personal information to remain in Canada. Entities should review their contractual commitments before transferring or accessing personal information outside of Canada. Further, strong vendor governance practices reduce both compliance risk and cybersecurity exposure.
Prepare for Expanded Individual Rights
Many businesses are currently facing a significant rise in requests from individuals to access their personal information or withdraw their consent. Bill C-36 proposes enhanced individual rights that go beyond those currently available under the Personal Information Protection and Electronic Documents Act (PIPEDA). To ease the burden of these new pressures, organizations should prepare updated policies and procedures to:
- Respond to access and correction requests with defined response timelines
- Allow individuals to exercise data portability rights to transfer their personal information to another organization
- Provide transparency around automated decision-making systems
- Dispose of personal information upon request in prescribed circumstances
Implement AI Use Transparency
A significant aspect of the proposed reforms is increased scrutiny of AI-driven processing and automated decision systems. Bill C-36 contemplates greater transparency around automated decisions and recognizes privacy risks associated with inferred personal information.
Organizations using AI should ensure they have clear documentation of AI use, assess the privacy impacts, monitor how AI uses personal information and maintain records of algorithmic decision-making. These controls are rapidly becoming expected by consumer regulators globally, regardless of Canada’s legislative timeline.
Insights Radar
The Safe Social Media Act
Building on past attempts to establish a comprehensive regulatory framework to address online harms in Canada, the federal government has tabled Bill C-34, the Safe Social Media Act. If passed, this new legislation would establish a federal digital safety regime by enacting the Digital Safety Act and create the Digital Safety Commission of Canada through the Digital Safety Commission of Canada Act. In our Blakes Bulletin: Canada’s Digital Safety Act: A Revamped Framework for Online Safety, we discuss the potentially onerous new duties proposed for yet-to-be-named operators of social media, chatbot and certain online services.
The Protecting Privacy and Consumer Data Act
For the third time since 2020, the federal government has tabled an attempt at reforming PIPEDA: Bill C-36. In our Blakes Bulletin: Third Time’s the Charm? Canada’s Latest Approach to Reform the Federal Private-Sector Privacy Framework, we highlight the bill’s most significant departures from the PIPEDA framework, including the proposed brand-new regulator for the private sector.
The Federal AI for All Strategy
Innovation, Science and Economic Development Canada recently published Canada’s National Artificial Intelligence Strategy: AI for All (Strategy). The Strategy outlines a coordinated approach towards AI integration in Canada while addressing key risks associated with AI adoption, including trust and safety and the lack of Canadian control over existing AI infrastructure. Our Blakes Bulletin: Canada’s AI for All Strategy: Key Takeaways for Businesses unpacks the Strategy’s six pillars, which are designed to foster trust, provide opportunity for and empower Canadians, and safeguard Canadian sovereignty.
Canadian Cybersecurity Trends Study – Sixth Edition
This focused and data-driven report provides a concise view of the evolving cyber risk landscape, highlighting the most significant trends and offering practical insights to support informed decision-making and cybersecurity preparedness. For example, this edition highlights the rise of data exfiltration and related privacy breaches, moving away from the previously dominant trend of encryption events. Learn more by downloading the Canadian Cybersecurity Trends Study – Sixth Edition.
When AI Hallucinates the Law: Arbitral Award Overturned
On April 22, 2026, in Association des ressources intermédiaires d’hébergement du Québec (ARIHQ) c. Santé Québec – Centre intégré universitaire de santé et de services sociaux du Centre-Sud-de-l'Île-de-Montréal, the Superior Court of Quebec (the Court) overturned an arbitral award due to the arbitrator’s excessive reliance on AI. According to the Court, the arbitrator based his reasoning on non-existent sources “hallucinated” by AI and thus “delegated part of his decision-making power,” thereby relinquishing his authority. The decision, which is one of the first public decisions on the subject of AI in Canada, reinforces key safeguards governing the exercise of arbitral powers and raises important questions about the use of AI in legal decision-making. Learn all about the decision in our Blakes Bulletin: When AI Hallucinates the Law: Arbitral Award Overturned.
Regulatory Watch
Key Legislative Developments
- Bill C-8 received Royal Assent, enacting the Critical Cyber Systems Protection Act.
- Amendments to Ontario’s Freedom of Information and Protection of Privacy Act, made by Bill 97, are now in force, extending the time to respond to access requests from 30 days to 45 days, and making other important changes.
- Manitoba’s Bill 49, which amends the Business Practices Amendment Act to regulate the use of personalized algorithmic pricing, received Royal Assent. The amendments will come into force on a future date to be fixed by proclamation.
New Decisions and Guidance
- Privacy Commissioner of Canada publishes new guidance for financial reporting entities on submitting codes of practice for sharing personal information, as part of efforts to detect or deter money-laundering, terrorist activity financing and sanction evasion.
- Privacy Commissioner of Canada investigation into the Grok chatbot and sexualized deepfakes finds companies violated privacy law.
- Privacy Commissioner of Canada tables 2025–2026 annual report to Parliament, Championing Privacy in the Age of AI.
- Office of the Information and Privacy Commissioner of Alberta releases new guidance for private sector organizations regarding changes to Alberta driver’s licenses and ID cards.
Contact Us
Please do not hesitate to contact your usual Blakes contact or any member of the Blakes Privacy & Data Protection group. To receive Privacy group Insights directly to your inbox, including Blakes Data Governor, sign up here.
Related Insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2026 Blake, Cassels & Graydon LLP