Skip Navigation

Third Time’s the Charm? Canada’s Latest Approach to Reform the Federal Private-Sector Privacy Framework

By Mallory Gallant, John Lenz, Ellie Marshall and Wendy Mee
June 24, 2026
Overview
More information

On June 15, 2026, the Canadian federal government introduced Bill C-36, titled An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (Bill C-36 or Bill). Bill C-36 succeeds Bill C-27 and Bill C-11, which were introduced in 2022 and 2020 respectively, and marks the federal government’s third major attempt in six years to reform the Personal Information Protection and Electronic Documents Act (PIPEDA).

Like its predecessors, if passed, the Bill would repeal the privacy provisions of PIPEDA and replace them with a new private-sector privacy law, the Protecting Privacy and Consumer Data Act (PPCDA or Act). However, unlike the prior proposals, Bill C-36 would shift enforcement from the Office of the Privacy Commissioner of Canada to a new Digital Safety and Data Protection Commission of Canada (Commission), which was initially proposed less than a week prior in Bill C-34. For more information on the Commission and Bill C-34, please see our Blakes Bulletin: Canada’s Digital Safety Act: A Revamped Framework for Online Safety

As in the 2022 and 2020 iterations, many of these proposals are intended to provide organizations with greater clarity regarding their data governance and privacy obligations by codifying existing Privacy Commissioner of Canada guidance. Below, we highlight the Bill’s most significant departures from the PIPEDA framework.

New Commissioner With Enhanced Enforcement Powers

Currently, the Privacy Commissioner of Canada (who is an Agent of Parliament confirmed by the Senate and House of Commons) acts largely as an ombudsman and does not have the power to order compliance with PIPEDA. PPCDA would dramatically change the enforcement of the federal private-sector privacy regime. 

Bill C-36 proposes a new supervisory structure led by the Commission, which would administer and enforce both PPCDA and the Digital Safety Act proposed in Bill C-34. Within the Commission, a new Privacy and Consumer Data Commissioner (Commissioner) would be appointed by Cabinet and designated to oversee and enforce PPCDA. This means that the Privacy Commissioner of Canada’s purview would become limited to oversight of the Privacy Act, Canada’s federal public-sector privacy legislation. 

As drafted, PPCDA grants the Commissioner broad enforcement powers, including investigation and audit powers, as well as the power to order compliance with the Act. The Act also provides authority for the Commissioner to approve code and certification programs that set privacy compliance standards and requires the Commissioner to issue guidance in areas where the PPCDA is not prescriptive. Further, the Act includes an expansive list of violations that could result in an administrative monetary penalty applied through a notice of contravention.

These penalties could be significant, with a maximum penalty of the greater of C$10-million or 3% of the organization’s gross global revenue in the preceding financial year. An organization would have a right to apply for review of any determination in relation to a notice of contravention and make representations to the Commission. The Commission would have authority to then confirm, cancel or vary any determination that is subject to a review. 

Exceptions for Legitimate Business Interests

Like Bill C-27, PPCDA contains an exception from the requirement to obtain consent from the individual for a collection, use or disclosure of personal information that is made for purposes in which the organization has a “legitimate interest” that outweighs any potential adverse effect on the individual. This exception is similar to Article 6(1)(f) of the European Union’s General Data Protection Regulation, which provides that an organization’s legitimate interests are a lawful basis for processing personal data.

Prior to relying on this exception to collect, use or disclose personal information, the organization must identify and record a description of the legitimate interest, conduct a privacy impact assessment in accordance with the prescribed requirements, identify and take reasonable measures to mitigate the associated risks, and comply with any prescribed requirements.

Automated Decision-Making

While Bill C-36 does not include as comprehensive a framework for governing artificial intelligence (AI) as we saw in Bill C-27, it does create disclosure and transparency obligations for organizations using automated decision systems. “Automated decision systems” is broadly defined to mean any technology that assists or replaces the judgment of human decision-makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other technique. 

Organizations that use automated decision systems to make predictions, recommendations or decisions that have a legal or significant effect on individuals would be required to make available to the public a general account of the organization’s use of such systems and, on request from an impacted individual, provide an explanation of the prediction, recommendation or decision. 

Cross-Border Transfer Privacy Impact Assessments

Organizations would be required to conduct a privacy impact assessment prior to disclosing or transferring personal information outside of Canada. Organizations must also implement measures to mitigate the risks identified in the assessment, which may include contractual measures, adherence to approved codes of practice or certification processes, or complying with other prescribed measures. This requirement would align the federal private-sector regime more closely with Quebec’s private-sector framework.

Anonymization and De-Identified Information

In today’s data-driven economy, organizations routinely use de-identified or anonymized data to assess their operations, create new products and meet evolving customer demands. However, PIPEDA does not define “anonymized” or “de-identified” information, nor does it clarify whether such data qualifies as personal information.

Bill C-36 proposes to expressly define these processes in the PPCDA:

  • Anonymize” means to irreversibly and permanently modify personal information to ensure that there is no reasonably foreseeable risk in the circumstances that an individual can be identified from the information, whether directly or indirectly, by any means.‍
  • De-identify” means to modify personal information so that an individual cannot be directly identified from it, although a risk of the individual being identified remains.‍

The Act would treat de-identified information as “personal information,” whereas anonymized information would fall outside the scope of the Act. The Act expressly permits organizations to de-identify or anonymize personal information without individual consent and to use de-identified personal information for internal research, analysis and development purposes without consent, subject to certain conditions. 

Business Transaction Exemption

The Act narrows PIPEDA’s business transaction exemption by permitting organizations to rely on it to use or disclose personal information without consent prior to the completion of the transaction only where that information has first been de-identified. However, an exception applies where de-identification would undermine the transaction’s objectives and the organization has considered the risk of harm to the individual arising from the use or disclosure.

Sensitive Personal Information and Protecting Children

PPCDA would define “sensitive” as “personal information in respect of which, taking into account the circumstances, an individual has a heightened expectation of privacy, including, as the case may be, a child’s personal information, personal information revealing an individual’s racial or ethnic origin, political opinions or religious or philosophical beliefs, an individual’s trade union membership, genetic information or health information, biometric information that is capable of uniquely identifying the individual or information concerning an individual’s sexual orientation.‍”

The express recognition of children’s personal information as sensitive aligns with the federal government’s recent efforts to strengthen online protections for children, including through the Digital Safety Act proposed in Bill C-34. 

Data Subject Rights

The Act’s purpose section expressly recognizes privacy as a fundamental right. Consistent with that recognition, the Act creates new privacy rights for individuals, including a deletion right and, as noted above, a transparency right related to the use of automated decision systems.   

(i) Right to Request Deletion

Upon written request of an individual, an organization must dispose of personal information if (a) the information was collected, used or disclosed in contravention of the Act, (b) the individual has withdrawn their consent, or (c) the information is no longer necessary for the continued provision of a product or service requested by the individual. Organizations may refuse the request as it relates to (b) or (c) in prescribed circumstances, including where there are legal requirements to retain the information, the disposal would adversely affect the accuracy of information required for the ongoing provision of a service to the individual, or the request is vexatious or made in bad faith.

(ii) Right to Data Portability

Upon request from an individual, and subject to regulations that have not yet been drafted, an organization must disclose the personal information that it has collected from the individual to an organization designated by the individual, provided both organizations are subject to data mobility frameworks. This data portability right was also introduced into PIPEDA last year in the federal government’s budget under Bill C-15. Organizations that are required to have data mobility frameworks will be specified by regulation. For an update on data portability rights, see our Spring 2026 edition of Blakes Data Governor

Next Steps

Parliament has risen for the summer and is scheduled to return on September 21, 2026. Stay tuned for updates throughout the summer detailing the impact of specific proposals in Bill C-36 and Bill C-34 on Canadian businesses. 

For more information, please contact the authors or any other member of our Privacy & Data Protection group.

Related Insights

U.S.–Canada Tariffs: Timeline of Key Dates and Documents
Bulletins

A timeline of key dates and documents in the evolution of tariffs between the U.S. and Canada.
Fast-Tracking Major Projects: Federal and Provincial Developments
Bulletins

Learn about federal and provincial reforms to accelerate major project approvals.
Expanding Alberta’s Energy and Digital Infrastructure: Select Tax Considerations for Major Projects
Bulletins
More insights

Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.

For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2026 Blake, Cassels & Graydon LLP

Ask Our Lawyers

Practices

Save as PDF