Canada unveils Bill C-36 to tighten private sector data rules

Canada has introduced Bill C-36 to overhaul private-sector privacy law, creating new rules for personal data and children's information.

The proposed Protecting Privacy and Consumer Data Act would replace parts of a framework ministers said is more than 25 years old. 

If enacted, the core consumer privacy rules in the Personal Information Protection and Electronic Documents Act (PIPEDA) would be replaced with a new framework centred on stronger individual rights, tougher penalties, and a new regulator. The bill would create the Protecting Privacy and Consumer Data Act and shift enforcement to a Digital Safety and Data Protection Commission, which would have the authority to issue orders and levy significant fines.

The measure is intended to respond to a digital environment shaped by large-scale artificial intelligence, algorithmic decision-making, deepfakes and the broader collection of children's data online. Evan Solomon, Minister of Artificial Intelligence and Digital Innovation, linked it to the federal government's National Artificial Intelligence Strategy.

Among the central changes, the legislation would recognise privacy as a fundamental right in Canada's private-sector data regime. It would impose higher standards on organisations handling children's personal information and require meaningful consent for the use of personal data, along with plain-language explanations of how that information is managed.

This bill comes as the Carney government is toughening laws to protect children's safety online. Earlier this month, they introduced the Safe Social Media Act, proposing a ban on social media accounts for children under 16. Both bills are awaiting a second reading in the House of Commons.

Bill C-36 would require organisations to be transparent about the use of automated decision-making in significant decisions affecting individuals. Canadians would gain the right to request the deletion of personal information in certain circumstances, while organisations would be required to use personal information for appropriate purposes and to avoid unfair practices such as surveillance pricing.

Another element is data mobility. The framework would allow individuals to move their personal information securely between organisations where an applicable system is in place.

Oversight would sit with a new Digital Safety and Data Protection Commission of Canada, an arm's-length regulator that would also administer the separate Digital Safety Act. The shared structure is intended to bring consistency to the regulation of digital and data-driven technologies, particularly in areas such as age assurance, synthetic content and children's online safety.

A designated Privacy and Consumer Data Commissioner would be appointed within the Commission to lead oversight and enforcement of the privacy legislation. The regulator would have the authority to issue binding orders to ensure compliance.

Penalties under the proposed law would reach up to CAD $10 million or 3 per cent of global revenue, whichever is greater, for administrative monetary penalties. For the most serious offences, fines would rise to as much as CAD $25 million or 5 per cent of global revenue.

The Bill contains provisions aimed at what the government described as digital sovereignty. Organisations transferring personal information outside Canada would need to conduct risk assessments and implement privacy safeguards before doing so.

The approach reflects broader concern in Ottawa over data handling in a more contested geopolitical environment, where the location of data processing and storage has become more politically sensitive. The legislation would require organisations to consider the privacy implications of using service providers as part of those arrangements.