Canada's Bill C-36 introduces privacy reforms, enforcement changes

Canada introduced its long-awaited privacy reform legislation, Bill C-36, the Protecting Privacy and Consumer Data Act. Bill C‑36 would recognize privacy as a fundamental right, strengthen consent and deletion rights, increase protections for children and shift private‑sector enforcement to a new Digital Safety and Data Protection Commission with significant penalty powers.

Bill C-36 would also amend the Personal Information Protection and Electronic Documents Act and introduce obligations for organizations handling personal information.

The bill looks to modernize PIPEDA by implementing stronger requirements for obtaining meaningful consent, allowing consumers to request that companies delete their data, including AI deepfakes, and creating additional obligations for companies that handle children’s data.

Artificial Intelligence and Digital Innovation Minister Evan Solomon said the legislation is intended to support innovation and economic growth while providing consumers with “more power to require companies to delete personal information they should no longer hold. And they’ll have more control over the digital trail that companies build about them.”

The announcement comes on the heels of proposed legislation last week - the Safe Social Media Act - that would ban children under age 16 from accessing social media platforms. 

Enforcement changes

Bill C-36 would also restructure Canada’s Office of the Privacy Commissioner by introducing the Digital Safety and Data Protection Commission of Canada. The OPC would shift its focus to regulating the Privacy Act in the public sector while transferring the private-sector complaints and investigations to the new authority.

IAPP Country Leader, Canada and nNovation Managing Partner Kris Klein, CIPP/C, CIPM, FIP, said, "the biggest news out of this new bill is, as was foreshadowed the week before with the introduction of the Digital Safety Act, is the creation of a new enforcement agency that completely re-writes the model of enforcement for privacy in the private sector." 

The newly proposed Commission would be granted the power to issue binding enforcement actions on non-compliance organizations with penalties of up to CAD10 million or three percent of global revenue, and the authority to fine companies for the most serious offences for up to CAD25 million or five percent of global revenue if they do not comply with the PPCDA.

Privacy Commissioner Philippe Dufresne said he was "pleased to see many of my recommendations reflected in the new Bill. In particular, I welcome proposals to recognize privacy as a fundamental right, an explicit recognition of the best interests of children, requirements to conduct privacy impact assessments, and stronger enforcement powers." 

Dufresne noted that the legislation would transfer private-sector authority from his agency but did not say whether he supported that shift or not. "The OPC will be carefully analysing the Bill, and I look forward to providing my views and recommendations to Parliament ... with the goal of making it the best possible legislation," he said. 

The OPC also highlighted the importance of ensuring Canadians retain meaningful control over their personal information as emerging technologies, including AI systems, continue to expand the collection and use of personal data.

University of Ottawa Internet and E-Commerce Law Canada Research Chair Michael Geist raised concerns about the changes, noting “removing an Agent of Parliament from private-sector privacy enforcement after decades isn’t something you tuck into a lengthy bill, but rather requires extended public consultation and analysis on how best to ensure Canada has effective privacy enforcement.”

In his weekly IAPP Canada notes from 12 June, Klein discussed the evolution of the difference between an administrative tribunal — as seen in the proposed Commission — and an Officer of Parliament (the existing OPC.) 

Solomon, the AI minister, said the bill would address regulatory concerns by the OPC that urged the government to introduce a regulator that has the “power to enforce, the power to investigate, the powers to have penalties, and that's what we've given, an independent regulator here to do just that.” 

Klein noted a “one-stop enforcement agency that does ‘all of privacy’ is a good thing for efficiency, consistency and, this is so, particularly if it is done differently from the Officer of Parliament - Ombuds model chosen generations ago.”

PPCDA standards

The legislation also comes on the heels of Canada’s recently released AI for All strategy, which looks to accelerate AI adoption and strengthen the economy.

Bill C-36, alongside the AI for All strategy, highlights the government’s efforts to promote digital sovereignty and innovation by weighing compliance concerns and small to medium-sized businesses' efforts to keep up with the digital landscape.

Under the proposal, organizations would also be required to treat children’s personal information as sensitive data. Solomon said the legislation sends a message that "companies that operate in Canada must take responsibility for the risk their service is creating, especially when children are involved."

The bill also looks to ensure individuals’ personal data is recognized as a fundamental right. Bill C-36 would address consumers’ concerns about the potential risks associated with automated decision-making technologies and surveillance pricing.

Solomon said surveillance pricing continues to be a key concern. If the bill passes, he will “be asking the regulator to publish guidance as one of my first acts on surveillance pricing to clarify exactly what that will be.”

Though Bill C-36 aims to address AI-related risks, Canada’s New Democratic Party Leader Avi Lewis said the bill’s regulatory efforts may be too broad to address surveillance pricing challenges.

“The bill doesn’t ban this disturbing practice — in fact, it doesn’t even mention it by name,” said Lewis. “Instead, it just promises vague regulatory action in the future.”

Canada’s Office of the Leader of the Official Opposition said the office will continue to analyze the bill’s potential privacy implications. Yahoo Finance reports a spokesperson for the Opposition Leader said in a statement, the “Liberal government has already demonstrated time and time again that they will take any opportunity to give themselves massive power to invade Canadians' privacy with their attempts to regulate the online space.”

With evolving regulatory changes, Klein noted most private-sector organizations “will feel that many of the provisions make sense and that they have already evolved their business practices to the point where they will easily comply or can do so without more than minor modifications.”

"Of course, it's not all perfect," he said, "and we will need to see how certain things work out in practice: for example, how complex, time consuming and expensive are PIAs going to be? In practical terms, how do you satisfy the requirement to explain automated decision making? What will the final wording be in terms of certain definitions be (particularly for de-identification etc.)?" Klein added, "The government announced that they are willing to listen to ideas to make the law better over the summer. Exactly how that is going to happen and whether it is ultimately true will depend on time."

The proposal is expected to face parliamentary review in the coming months.