Canada’s Proposed Privacy Bill C-36

By Robert Bergman, CEO of Southwest Management Technology

Canada’s proposed Bill C-36 represents one of the most significant privacy law reforms the country has considered in over two decades. At its heart, the legislation aims to replace major portions of PIPEDA with a new framework called the Protecting Privacy and Consumer Data Act (PPCDA). The government says the goal is simple, although maybe not simple at all in practice: give individuals stronger control over their personal information while still allowing businesses to innovate and compete in a data-driven economy.

One of the most notable changes is the recognition of privacy as a fundamental right. That sounds symbolic, but symbols often become powerful legal tools. The bill would also require organizations to obtain more meaningful consent from individuals. Most times, express consent would become the default standard, and companies would need to explain their data practices in plain language rather than hiding key details in dense legal text.

Consumers would gain new rights as well. People could request the deletion of their personal information in certain situations, and organizations would be expected to respond appropriately. The legislation also introduces concepts such as data mobility, allowing individuals to transfer information between participating organizations. It feels a bit like changing banks while keeping your account history intact, although the comparison is not perfect.

Children receive special attention throughout the proposal. Their personal information would be treated as sensitive by default, and organizations would face higher obligations when handling it. Recent debates around youth access to social media have made these concerns especially visible, so the timing is not surprising.

Another major shift involves enforcement. Instead of relying primarily on the Office of the Privacy Commissioner for private sector oversight, the bill would create the Digital Safety and Data Protection Commission of Canada. This new regulator would have the authority to investigate complaints, conduct audits, issue binding orders, and impose substantial penalties. For some organizations, that possibility may feel like a distant thunderstorm. For others, especially large enterprises, it is probably more like hearing the rain already hitting the roof.

The proposed penalties are significant. Organizations that fail to comply could face fines reaching millions of dollars, and in certain circumstances penalties could be tied to a percentage of global revenue. Supporters argue that stronger enforcement is necessary because privacy violations can create real harm. Critics, however, question whether moving authority away from the traditional Privacy Commissioner is the right approach. Some observers worry that such a major institutional change deserves broader consultation before implementation.

The bill also introduces several new compliance obligations. Organizations would need documented privacy management programs, privacy impact assessments in specific situations, and stronger internal governance practices. Cross-border data transfers would require additional analysis, particularly when personal information is being moved outside Canada. Companies relying on automated decision-making systems would face new transparency requirements, which may become increasingly important as artificial intelligence continues to spread through everyday business operations.

There is also growing concern about practices sometimes described as surveillance pricing, where data about individuals may influence pricing decisions. The legislation seeks to address concerns around automated systems and potentially unfair uses of personal information, although some critics argue the language remains too broad and leaves important details for future regulations.

Despite the sweeping nature of the proposal, many privacy professionals believe organizations that already maintain mature privacy programs may not need dramatic operational changes. In some cases, existing practices can likely be adapted with moderate adjustments. Still, questions remain. How extensive will privacy impact assessments become? How detailed must explanations of automated decisions be? And what standards will regulators ultimately apply? At the moment, some of those answers are still floating just beyond view.

The legislation is currently only at the beginning of the legislative process. Parliamentary review, committee study, Senate consideration, and additional regulatory development all remain ahead. The destination is visible, but the road is still under construction.

AI models and privacy compliance present a growing challenge because modern AI systems often depend on enormous amounts of data. Organizations may not always know exactly where information originated, how long it should be retained, or whether individuals provided valid consent for every use. Businesses want faster innovation, while regulators and consumers increasingly demand transparency and accountability. There is a tension here that sometimes feels impossible to resolve and then, unexpectedly, somewhat manageable.

As AI capabilities expand, privacy compliance is becoming less of a legal checkbox and more of a core governance issue. Organizations that fail to address it risk regulatory penalties, reputational damage, and a loss of public trust that can be difficult to rebuild.

ADDRESS THE PRIVACY ISSUES WITH AI NOW!

Robert Bergman

Robert Bergman with Next Level Mediation provides full mediation services - including proprietary and confidential Decision Science (DS) analysis that assists each party in understanding their true litigation priorities as aligned with their business objectives. Each party receives a one-time user license to access our exclusive DS Application Cloud. We… MORE