Loading...
Canada deserves to know.
Loading...
Bill C-36, tabled June 15, 2026, would replace Canada's 25-year-old private-sector privacy law with real teeth: fines up to $25 million or 5% of global revenue, new protections for children's data, and rights against automated decision-making. The catches are structural. By law professor Michael Geist's estimate, the regime won't be operational until roughly 2030. And enforcement moves from the Privacy Commissioner of Canada — an independent Agent of Parliament — to a new five-member, Cabinet-appointed commission that is also responsible for policing online content. The same June sitting that fast-tracked the Lawful Access Act through the House in a single day left the privacy half of the bargain waiting years.
On June 15, 2026, Minister of Artificial Intelligence and Digital Innovation Evan Solomon tabled Bill C-36, an Act to enact the Protecting Privacy and Consumer Data Act (PPCDA) — the most significant rewrite of Canada's private-sector privacy law since PIPEDA took effect in 2001. The bill's substance is real: a single definition of children (under 18) with children's data classified as sensitive, personal information extended to cover inferred data, a right to human review of automated decisions with significant effects, binding order-making powers, administrative penalties up to $10 million or 3% of global revenue, and fines up to $25 million or 5% of global revenue for the most serious offences. Several provisions — the right to deletion, data mobility, algorithmic transparency, a conditional private right of action — return from Bills C-11 (2020) and C-27 (2022), both of which died without passing. The structural choices are where the debate lives. Enforcement of the new law moves from the Privacy Commissioner of Canada, an independent Agent of Parliament, to a new Digital Safety and Data Protection Commission — a Cabinet-appointed body that also administers online-harms regulation, with a designated Privacy and Consumer Data Commissioner inside it. University of Ottawa law professor Michael Geist calls the design unprecedented among peer countries, argues the commission's internal separation between investigators and adjudicators is more formal than real, and estimates the full regime will not be operational until roughly 2030-31 — a year for passage, eighteen months to stand up the commission, and two more years for it to build privacy expertise. He also notes that anonymized data falls outside the Act entirely while the anonymization standards are left to regulations not yet written. Bill C-36 received first reading June 15 and awaits second reading in the fall. This article documents what the bill does, what it delays, and how its timeline compares with the Lawful Access Act the same House passed in a single day on June 18.
Start with the substance, because it's real. **Bill C-36**, tabled **June 15, 2026** by Artificial Intelligence and Digital Innovation Minister **Evan Solomon**, would enact the **Protecting Privacy and Consumer Data Act (PPCDA)** — retiring the private-sector rules of **PIPEDA**, a law that took effect in **2001**, before smartphones, social platforms, or AI inference existed.
The advances are concrete:
- **Children's data.** One definition of a child (**under 18**), children's personal information classified as **sensitive by default**, a **best-interests-of-the-child** factor, and stronger deletion rights for data collected from minors. - **AI-era coverage.** Personal information now includes **inferred data** — the profile a system builds about you, not just what you typed in. Canadians get a right to **human review of automated decisions** with legal or similarly significant effects. - **Enforcement with teeth.** Binding orders, **administrative penalties up to $10 million or 3% of global revenue**, and **fines up to $25 million or 5% of global revenue** for the most serious offences — the largest in Canadian privacy history. - **The returning reforms.** A right to deletion, data mobility, algorithmic transparency, and a conditional private right of action — provisions Canadians were promised in **Bill C-11 (2020)** and **Bill C-27 (2022)**, both of which died without passing.
Privacy lawyers across the country are calling it the most significant modernization in a generation. On paper, they're right.
A right that takes effect in 2030 protects no one in 2026, 2027, 2028, or 2029.
By University of Ottawa law professor **Michael Geist's** estimate, the PPCDA won't be **operational until roughly 2030-31**. The arithmetic: about **a year** for the bill to pass Parliament, **eighteen months** to stand up the new commission that enforces it, and **two or more years** for that regulator to build privacy expertise and write the regulations the Act leans on. Until every step completes, **PIPEDA — the 2001 law — keeps governing.**
And the regulations matter more than usual, because the Act delegates load-bearing definitions to rules that don't exist yet. The clearest example, per Geist: **anonymized data falls outside the Act entirely** — so the unwritten anonymization standard will quietly decide how much of the data economy escapes the law altogether.
This is the third attempt at these reforms in six years. The first two (C-11, C-27) died on the order paper. Even if this one passes, a child who is ten today will be a licensed driver before the children's-data protections bite.
Since PIPEDA, private-sector privacy has been overseen by the **Privacy Commissioner of Canada** — an **Agent of Parliament**, meaning the office answers to Parliament as a whole, not to the government of the day. That independence is the point: a privacy regulator's job periodically requires embarrassing the government.
Bill C-36 moves the entire private-sector file to a new body: the **Digital Safety and Data Protection Commission** — **five members, appointed by Cabinet**, with a designated **Privacy and Consumer Data Commissioner** inside it. The same commission also administers **online-harms content regulation**.
The government's case is consolidation: one digital-era regulator, specialized staff, binding powers the Privacy Commissioner never had. It's a real argument — the OPC's ombuds-model was widely seen as under-powered.
Geist's objections go to design, and they're worth stating precisely as his: pairing content regulation with data protection is **"unprecedented among peer countries"**; the internal separation between the commission's investigators and adjudicators is **"more formal than real"**; the commission can hold **hearings in secret**, is **not bound by the ordinary rules of evidence**, and can act with as few as **one appointee**. He also flags the risk that moving privacy out of an independent office could complicate Canada's **EU adequacy** standing — the finding that lets data flow freely from Europe.
Whatever one concludes, the institutional fact is stark: for the first time since 2001, the **independent watchdog is out** of private-sector privacy, and a **Cabinet-appointed body is in** — while penalties get big enough to be worth fighting about.
Put the two June bills side by side, using nothing but the parliamentary record.
**Bill C-22, the Lawful Access Act** — lowering the threshold to identify Canadians online and authorizing year-long metadata retention — completed **committee, report stage, and third reading in a single day, June 18, 2026**, after the government limited clause-by-clause review to 30 minutes. It's in the Senate, which is expected to take it up when Parliament returns in **late September**. ([Our full coverage.](/news/bill-c22-lawful-access-act-third-reading-surveillance-now-privacy-2030))
**Bill C-36, the privacy bill** — the citizen-protection half of the same digital agenda — was tabled three days earlier, on June 15. It waits for second reading in the fall, then committee, then the Senate, then an **eighteen-month commission build**, then regulations. Operational, per Geist: **around 2030**.
Both bills come from the same government, in the same month, on the same subject: who controls information about Canadians. One got the fast lane. One got a five-year runway. You don't need an opinion about either bill's merits to find that asymmetry worth putting on the record — and worth asking your MP and senators about this fall, when both bills are in front of them at once. [Find your MP here.](/find-your-mp)
The fall sitting will decide both. We'll track every vote.
On June 18, 2026, the House of Commons passed Bill C-22, the Lawful Access Act — compressing committee study, report stage, and third reading into one day, with clause-by-clause committee review capped at 30 minutes. It now sits in the Senate. The bill lowers the standard for police to compel a subscriber's identity to "reasonable grounds to suspect" and lets regulations require providers to retain a year of Canadians' metadata. Its companion bill, C-36 — the one that's supposed to strengthen your privacy — won't take effect until roughly 2030 and hands the independent Privacy Commissioner's private-sector role to a new Cabinet-appointed commission. Surveillance now; protection later.
Every recent Canadian lawful-access proposal — from Bill C-30 in 2012 to Bill C-2 last year — included some statutory role for the Office of the Privacy Commissioner. Bill C-22 does not. The OPC cannot audit how the retained metadata is stored, cannot review the secret capability orders, and has no investigation power over complaints arising from the new regime. Here is what changed.
The bill explicitly excludes the content of communications from mandatory retention. What it would require — who you talked to, when, where you were, what device you used — is the data that intelligence professionals call "the more important half" of surveillance. Here is what a year of that data reveals about an ordinary Canadian.
About this article
Parliament Audit is non-partisan and does not endorse or oppose any legislation. This article is based on publicly available legislative documents and parliamentary records; all sources are linked above.
AI-assisted, human-edited. AI tools help us ingest parliamentary records and draft analysis; an editor reviews every article and verifies key facts against primary sources before publication. Quotation marks are reserved for verbatim text from a primary source. See our methodology and corrections log.
Your MP votes on this. Their constituency inbox is the most-read channel for feedback on bills in committee.
You're welcome to run this article in full on your newsroom, blog, newsletter, or paper. Keep the byline and the link back to parliamentaudit.ca. See the full terms.
<!-- Parliament Audit — republished under CC BY-ND 4.0 -->
<article>
<h1>Canada's New Privacy Bill Carries the Biggest Penalties in Its History. It Isn't Expected to Take Effect Until About 2030 — and the Independent Privacy Watchdog Won't Be the One Enforcing It.</h1>
<p><em>By Parliament Audit · July 3, 2026 · 6 min read</em></p>
<p><strong>On June 15, 2026, Minister of Artificial Intelligence and Digital Innovation Evan Solomon tabled Bill C-36, an Act to enact the Protecting Privacy and Consumer Data Act (PPCDA) — the most significant rewrite of Canada's private-sector privacy law since PIPEDA took effect in 2001. The bill's substance is real: a single definition of children (under 18) with children's data classified as sensitive, personal information extended to cover inferred data, a right to human review of automated decisions with significant effects, binding order-making powers, administrative penalties up to $10 million or 3% of global revenue, and fines up to $25 million or 5% of global revenue for the most serious offences. Several provisions — the right to deletion, data mobility, algorithmic transparency, a conditional private right of action — return from Bills C-11 (2020) and C-27 (2022), both of which died without passing. The structural choices are where the debate lives. Enforcement of the new law moves from the Privacy Commissioner of Canada, an independent Agent of Parliament, to a new Digital Safety and Data Protection Commission — a Cabinet-appointed body that also administers online-harms regulation, with a designated Privacy and Consumer Data Commissioner inside it. University of Ottawa law professor Michael Geist calls the design unprecedented among peer countries, argues the commission's internal separation between investigators and adjudicators is more formal than real, and estimates the full regime will not be operational until roughly 2030-31 — a year for passage, eighteen months to stand up the commission, and two more years for it to build privacy expertise. He also notes that anonymized data falls outside the Act entirely while the anonymization standards are left to regulations not yet written. Bill C-36 received first reading June 15 and awaits second reading in the fall. This article documents what the bill does, what it delays, and how its timeline compares with the Lawful Access Act the same House passed in a single day on June 18.</strong></p>
<h2>What the bill genuinely gets right</h2>
<p>Start with the substance, because it's real. **Bill C-36**, tabled **June 15, 2026** by Artificial Intelligence and Digital Innovation Minister **Evan Solomon**, would enact the **Protecting Privacy and Consumer Data Act (PPCDA)** — retiring the private-sector rules of **PIPEDA**, a law that took effect in **2001**, before smartphones, social platforms, or AI inference existed.</p>
<p>The advances are concrete:</p>
<p>- **Children's data.** One definition of a child (**under 18**), children's personal information classified as **sensitive by default**, a **best-interests-of-the-child** factor, and stronger deletion rights for data collected from minors.
- **AI-era coverage.** Personal information now includes **inferred data** — the profile a system builds about you, not just what you typed in. Canadians get a right to **human review of automated decisions** with legal or similarly significant effects.
- **Enforcement with teeth.** Binding orders, **administrative penalties up to $10 million or 3% of global revenue**, and **fines up to $25 million or 5% of global revenue** for the most serious offences — the largest in Canadian privacy history.
- **The returning reforms.** A right to deletion, data mobility, algorithmic transparency, and a conditional private right of action — provisions Canadians were promised in **Bill C-11 (2020)** and **Bill C-27 (2022)**, both of which died without passing.</p>
<p>Privacy lawyers across the country are calling it the most significant modernization in a generation. On paper, they're right.</p>
<h2>Catch #1 — the calendar</h2>
<p>A right that takes effect in 2030 protects no one in 2026, 2027, 2028, or 2029.</p>
<p>By University of Ottawa law professor **Michael Geist's** estimate, the PPCDA won't be **operational until roughly 2030-31**. The arithmetic: about **a year** for the bill to pass Parliament, **eighteen months** to stand up the new commission that enforces it, and **two or more years** for that regulator to build privacy expertise and write the regulations the Act leans on. Until every step completes, **PIPEDA — the 2001 law — keeps governing.**</p>
<p>And the regulations matter more than usual, because the Act delegates load-bearing definitions to rules that don't exist yet. The clearest example, per Geist: **anonymized data falls outside the Act entirely** — so the unwritten anonymization standard will quietly decide how much of the data economy escapes the law altogether.</p>
<p>This is the third attempt at these reforms in six years. The first two (C-11, C-27) died on the order paper. Even if this one passes, a child who is ten today will be a licensed driver before the children's-data protections bite.</p>
<h2>Catch #2 — who enforces it</h2>
<p>Since PIPEDA, private-sector privacy has been overseen by the **Privacy Commissioner of Canada** — an **Agent of Parliament**, meaning the office answers to Parliament as a whole, not to the government of the day. That independence is the point: a privacy regulator's job periodically requires embarrassing the government.</p>
<p>Bill C-36 moves the entire private-sector file to a new body: the **Digital Safety and Data Protection Commission** — **five members, appointed by Cabinet**, with a designated **Privacy and Consumer Data Commissioner** inside it. The same commission also administers **online-harms content regulation**.</p>
<p>The government's case is consolidation: one digital-era regulator, specialized staff, binding powers the Privacy Commissioner never had. It's a real argument — the OPC's ombuds-model was widely seen as under-powered.</p>
<p>Geist's objections go to design, and they're worth stating precisely as his: pairing content regulation with data protection is **"unprecedented among peer countries"**; the internal separation between the commission's investigators and adjudicators is **"more formal than real"**; the commission can hold **hearings in secret**, is **not bound by the ordinary rules of evidence**, and can act with as few as **one appointee**. He also flags the risk that moving privacy out of an independent office could complicate Canada's **EU adequacy** standing — the finding that lets data flow freely from Europe.</p>
<p>Whatever one concludes, the institutional fact is stark: for the first time since 2001, the **independent watchdog is out** of private-sector privacy, and a **Cabinet-appointed body is in** — while penalties get big enough to be worth fighting about.</p>
<h2>The asymmetry, on the record</h2>
<p>Put the two June bills side by side, using nothing but the parliamentary record.</p>
<p>**Bill C-22, the Lawful Access Act** — lowering the threshold to identify Canadians online and authorizing year-long metadata retention — completed **committee, report stage, and third reading in a single day, June 18, 2026**, after the government limited clause-by-clause review to 30 minutes. It's in the Senate, which is expected to take it up when Parliament returns in **late September**. ([Our full coverage.](/news/bill-c22-lawful-access-act-third-reading-surveillance-now-privacy-2030))</p>
<p>**Bill C-36, the privacy bill** — the citizen-protection half of the same digital agenda — was tabled three days earlier, on June 15. It waits for second reading in the fall, then committee, then the Senate, then an **eighteen-month commission build**, then regulations. Operational, per Geist: **around 2030**.</p>
<p>Both bills come from the same government, in the same month, on the same subject: who controls information about Canadians. One got the fast lane. One got a five-year runway. You don't need an opinion about either bill's merits to find that asymmetry worth putting on the record — and worth asking your MP and senators about this fall, when both bills are in front of them at once. [Find your MP here.](/find-your-mp)</p>
<p>The fall sitting will decide both. We'll track every vote.</p>
<hr />
<p><small>
Originally published by <a href="https://parliamentaudit.ca/news/bill-c36-privacy-law-biggest-penalties-2030-delay-super-regulator">Parliament Audit</a>
under the <a href="https://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND 4.0</a> license.
<img src="https://parliamentaudit.ca/api/republish-beacon?slug=bill-c36-privacy-law-biggest-penalties-2030-delay-super-regulator" alt="" width="1" height="1" />
</small></p>
</article>