New Enforcement Agency, GDPR-Scale Penalties, and Obligations That Will Reshape How Organizations Handle Personal Data
Canada has introduced the most significant overhaul of its private-sector privacy framework in more than two decades. Bill C-36, the Protecting Privacy and Consumer Data Act, tabled on June 16, 2026, would recognize privacy as a fundamental right, restructure federal enforcement from the ground up, impose GDPR-scale financial penalties, and introduce heightened obligations for organizations handling children’s data and operating automated decision-making systems.
For multinational organizations with Canadian operations, the legislation represents a structural shift — not an incremental update. The compliance architecture that has governed Canadian private-sector data handling under the Personal Information Protection and Electronic Documents Act (PIPEDA) since 2000 is being replaced. Organizations that have treated Canadian privacy compliance as a lighter-touch analog to their GDPR programs should begin reassessing that assumption now.
What Canada’s Privacy Law Has Been — and Why It Needed Replacing
PIPEDA has governed how private-sector organizations collect, use, and disclose personal information in the course of commercial activity since it came into force in 2001. The law established ten fair information principles — covering accountability, consent, limiting collection, accuracy, safeguards, and individual access — and assigned enforcement to the Office of the Privacy Commissioner of Canada (OPC), an independent Officer of Parliament.
The OPC model was built on an ombudsman framework: investigate complaints, make findings, and publish recommendations. What it lacked was binding order-making power and meaningful financial penalties. When the OPC found that an organization had violated PIPEDA, its primary enforcement tool was the reputational pressure of a public finding and the prospect of Federal Court proceedings — a process that was slow, resource-intensive, and rarely resulted in significant consequences for non-compliant organizations.
The inadequacy of that framework became increasingly apparent as data-driven business models scaled, data breaches multiplied, and peer jurisdictions — the EU under the GDPR, California under the CCPA and CPRA, and Quebec under Law 25 — moved toward prescriptive requirements backed by substantial financial penalties. Canada’s federal framework fell progressively further behind the international baseline.
PIPEDA’s consent model also aged poorly. Meaningful consent in 2001 looked different from meaningful consent in 2026, when data flows are complex, privacy notices are deliberately unreadable, and the gap between what organizations tell consumers about data use and what they actually do with it has become a recurring enforcement theme globally. Bill C-36 is Canada’s attempt to close that gap.
The Core Legislative Changes
Privacy as a Fundamental Right
Bill C-36 would enshrine privacy as a fundamental right in federal private-sector law — a framing with both symbolic and practical significance. Recognizing privacy as a right rather than a regulatory compliance obligation shifts the interpretive posture of the entire statute: it requires that ambiguities be resolved in favor of privacy protection, and it provides the legal foundation for interpreting consent, access, and deletion rights expansively. Quebec’s Law 25 made a similar move, and it informed the regulatory posture of the Commission d’accès à l’information in early enforcement actions.
Strengthened Consent Requirements
The bill would implement stronger requirements for obtaining meaningful consent — moving beyond the largely form-based consent mechanisms that have characterized PIPEDA compliance and toward a substantive standard that more closely mirrors the GDPR’s requirements for freely given, specific, informed, and unambiguous consent.
The practical implications for consent management infrastructure are significant. Organizations relying on buried consent language in terms of service, pre-ticked boxes, or bundled consents for multiple processing purposes will need to redesign their consent architecture if the bill passes in its current form. Organizations that have already built GDPR-compliant consent frameworks will have a head start — though Canadian-specific consent requirements may diverge from GDPR standards in ways that require distinct implementation.
Right to Deletion — Including AI Deepfakes
Bill C-36 would give consumers the right to request that companies delete their personal data — a right that does not currently exist in a robust form at the federal PIPEDA level, though Quebec’s Law 25 has established a provincial analog. Notably, the deletion right as drafted would explicitly extend to AI-generated deepfakes, signaling legislative intent to address synthetic media as a category of personal information subject to deletion obligations.
The deepfake inclusion is significant. It establishes that AI-generated content depicting an identifiable individual can constitute that individual’s personal information for purposes of data subject rights — a position that has implications for how organizations deploying generative AI tools must respond to deletion requests involving AI-generated outputs, not merely the training data underlying those outputs.
Children’s Data: Heightened Obligations
Under Bill C-36, organizations would be required to treat children’s personal information as sensitive data by default — triggering the heightened protections that apply to sensitive data categories across the entire PPCDA framework. This aligns with a global legislative trend toward stricter children’s data protections, including the UK’s Age Appropriate Design Code, California’s Age-Appropriate Design Code Act, and the FTC’s ongoing COPPA enforcement posture in the United States.
AI and Digital Innovation Minister Evan Solomon was direct about the legislative intent: “Companies that operate in Canada must take responsibility for the risk their service is creating, especially when children are involved.” The bill arrives alongside the Safe Social Media Act, proposed legislation that would ban children under 16 from accessing social media platforms — signaling a coordinated legislative push on children’s digital safety.
Automated Decision-Making and Surveillance Pricing
Bill C-36 would address consumer concerns about automated decision-making technologies — requiring organizations to provide meaningful explanations of how automated systems affect individuals — and would create a regulatory framework for surveillance pricing, the practice of using personal data to individualize pricing based on consumer profiles.
The surveillance pricing provision generated immediate political friction. Canada’s New Democratic Party Leader Avi Lewis acknowledged the bill’s intent but criticized its execution: “The bill doesn’t ban this disturbing practice — in fact, it doesn’t even mention it by name. Instead, it just promises vague regulatory action in the future.” Minister Solomon indicated that, if the bill passes, one of his first acts would be directing the new Commission to publish guidance specifically on surveillance pricing — an acknowledgment that the statutory language requires regulatory elaboration before it becomes operationally meaningful.
Privacy Impact Assessments
The bill would introduce mandatory privacy impact assessment (PIA) requirements for organizations handling personal information in specified contexts. PIAs are already required under Quebec’s Law 25 for projects involving personal information and for certain transfers outside Quebec — Bill C-36 would establish a federal analog, with the specific scope and procedural requirements still subject to parliamentary review and potential amendment.
The Enforcement Overhaul: From Ombudsman to Regulator
The most structurally consequential element of Bill C-36 is not a substantive privacy requirement — it is the wholesale replacement of the enforcement model.
Bill C-36 would create the Digital Safety and Data Protection Commission of Canada (DSDPC), a new administrative tribunal with binding order-making authority and significant financial penalty powers. Private-sector privacy complaints and investigations currently handled by the OPC would transfer to the new Commission. The OPC would retain jurisdiction over the Privacy Act in the public sector.
The new Commission would be authorized to issue penalties of up to CAD 10 million or three percent of global annual revenue for non-compliance with the PPCDA’s general requirements — and up to CAD 25 million or five percent of global annual revenue for the most serious offences. Those penalty tiers are structurally comparable to the GDPR’s two-tier penalty framework (up to €10 million or 2% of global turnover for lower-tier violations; up to €20 million or 4% of global turnover for higher-tier violations), and represent a fundamental departure from PIPEDA’s effectively penalty-free enforcement model.
IAPP Canada Country Leader and nNovation Managing Partner Kris Klein, CIPP/C, CIPM, FIP, identified the enforcement restructuring as the bill’s most significant development: “The biggest news out of this new bill is the creation of a new enforcement agency that completely re-writes the model of enforcement for privacy in the private sector.”
Klein noted both the efficiency case for the new model and the governance questions it raises: “A one-stop enforcement agency that does ‘all of privacy’ is a good thing for efficiency, consistency and — this is so, particularly if it is done differently from the Officer of Parliament – Ombuds model chosen generations ago.” But University of Ottawa Internet and E-Commerce Law Canada Research Chair Michael Geist raised a structural concern about the process: “Removing an Agent of Parliament from private-sector privacy enforcement after decades isn’t something you tuck into a lengthy bill, but rather requires extended public consultation and analysis on how best to ensure Canada has effective privacy enforcement.”
Privacy Commissioner Philippe Dufresne welcomed elements of the bill — including the recognition of privacy as a fundamental right, explicit recognition of children’s best interests, and PIA requirements — while declining to take a public position on the transfer of his agency’s private-sector authority to the new Commission. “The OPC will be carefully analysing the Bill, and I look forward to providing my views and recommendations to Parliament,” he said.
What This Means for Organizations Operating in Canada
Bill C-36 is legislation, not yet law — it faces parliamentary review in the coming months, and the government has indicated openness to amendments over the summer. The final statute may differ from the current draft in meaningful ways. But the direction of travel is unambiguous, and organizations with Canadian operations should be building toward the PPCDA compliance framework rather than waiting for royal assent.
Several practical implications are already clear from the bill’s current form:
- Consent infrastructure review: Organizations relying on PIPEDA-era consent mechanisms — bundled consents, passive consent, buried authorizations — should conduct a gap analysis against the bill’s meaningful consent requirements now. Organizations with GDPR-compliant consent management platforms will need to assess whether their Canadian implementation satisfies the PPCDA’s standard, which may differ in specific requirements.
- Deletion rights operationalization: The right to deletion requires a technical infrastructure capable of honoring deletion requests across systems — including, under Bill C-36, AI-generated content. Organizations deploying generative AI tools that may produce output involving identifiable individuals should assess their deletion response capability specifically in the AI output context.
- Children’s data audit: Organizations whose products or services are used by or directed at minors should audit their data handling practices against the heightened sensitive data standard the bill would apply to children’s personal information.
- PIA program development: Organizations without existing PIA frameworks should begin building one — both to prepare for federal PPCDA requirements and to satisfy Quebec’s Law 25 obligations, which are already in force.
- Automated decision-making documentation: The bill’s requirement to explain automated decision-making to affected individuals requires that organizations be able to articulate, in plain language, how automated systems produce decisions affecting consumers. Organizations that cannot currently do this should treat it as a gap requiring technical and governance attention.
- Penalty exposure modeling: Organizations should model their potential penalty exposure under the PPCDA’s two-tier structure against their global revenue figures. For large multinationals, five percent of global revenue represents a qualitatively different compliance incentive than anything PIPEDA created. Compliance program investment should be calibrated accordingly.
Klein offered a measured assessment of where most organizations will land: “Most private-sector organizations will feel that many of the provisions make sense and that they have already evolved their business practices to the point where they will easily comply or can do so without more than minor modifications.” But he flagged the implementation questions that remain unresolved: “How complex, time consuming and expensive are PIAs going to be? In practical terms, how do you satisfy the requirement to explain automated decision making? What will the final wording be in terms of certain definitions — particularly for de-identification?”
Those are the right questions. And they are questions that organizations should be asking now, not after the bill clears Parliament.
The Broader Canadian Digital Regulatory Context
Bill C-36 does not arrive in isolation. It follows Canada’s AI for All strategy, released earlier this month, which is designed to accelerate AI adoption and strengthen the digital economy. The simultaneous introduction of a comprehensive privacy reform bill and a national AI strategy signals a deliberate legislative posture: Canada intends to position itself as a jurisdiction that enables AI-driven innovation while establishing the privacy and data governance infrastructure that makes that innovation sustainable and internationally credible.
That posture has direct implications for multinational organizations assessing their Canadian regulatory environment. A Canada with GDPR-scale privacy penalties, a dedicated enforcement commission, and a national AI strategy is a materially different compliance environment from the PIPEDA-era Canada that many organizations’ legal and compliance programs were built around. The infrastructure being built now — consent management, deletion rights operationalization, PIA programs, automated decision-making documentation — is not Canada-specific overhead. It is the baseline that operating in any major jurisdiction now requires.
How Captain Compliance Can Help
Preparing for Bill C-36’s PPCDA framework — alongside existing obligations under Quebec’s Law 25, PIPEDA, and comparable international regimes — requires a compliance program that can address consent management, data subject rights operationalization, PIA development, and automated decision-making governance in an integrated way. Captain Compliance helps organizations operating in Canada and across international jurisdictions build the frameworks, documentation, and governance infrastructure they need to meet evolving regulatory requirements and demonstrate compliance to enforcement authorities.
Boom a demo below to assess your organization’s readiness for Canada’s Bill C-36 and build a compliance program designed for the PPCDA era.
