Loading...
Canada deserves to know.
Loading...
Tag
3 articles
On June 15, 2026, Minister of Artificial Intelligence and Digital Innovation Evan Solomon tabled Bill C-36, an Act to enact the Protecting Privacy and Consumer Data Act (PPCDA) — the most significant rewrite of Canada's private-sector privacy law since PIPEDA took effect in 2001. The bill's substance is real: a single definition of children (under 18) with children's data classified as sensitive, personal information extended to cover inferred data, a right to human review of automated decisions with significant effects, binding order-making powers, administrative penalties up to $10 million or 3% of global revenue, and fines up to $25 million or 5% of global revenue for the most serious offences. Several provisions — the right to deletion, data mobility, algorithmic transparency, a conditional private right of action — return from Bills C-11 (2020) and C-27 (2022), both of which died without passing. The structural choices are where the debate lives. Enforcement of the new law moves from the Privacy Commissioner of Canada, an independent Agent of Parliament, to a new Digital Safety and Data Protection Commission — a Cabinet-appointed body that also administers online-harms regulation, with a designated Privacy and Consumer Data Commissioner inside it. University of Ottawa law professor Michael Geist calls the design unprecedented among peer countries, argues the commission's internal separation between investigators and adjudicators is more formal than real, and estimates the full regime will not be operational until roughly 2030-31 — a year for passage, eighteen months to stand up the commission, and two more years for it to build privacy expertise. He also notes that anonymized data falls outside the Act entirely while the anonymization standards are left to regulations not yet written. Bill C-36 received first reading June 15 and awaits second reading in the fall. This article documents what the bill does, what it delays, and how its timeline compares with the Lawful Access Act the same House passed in a single day on June 18.
Bill C-22, the Lawful Access Act (full title: "An Act respecting lawful access"), passed third reading in the House of Commons on June 18, 2026 and received first reading in the Senate the same day. According to Parliament's own LEGISinfo record, committee consideration, report stage, and third reading all occurred on June 18 — the bill having been at first reading since March 12 and referred to committee on April 20. University of Ottawa law professor Michael Geist reported that the government limited clause-by-clause committee review to 30 minutes, after which remaining amendments were voted on with no further debate, and that government amendments were not publicly disclosed while opposition amendments — drawn from testimony by the Privacy Commissioner, bar associations, and security experts — were neither released nor debated. The bill lowers the threshold for compelling subscriber information to "reasonable grounds to suspect," which Geist describes as the lowest investigative standard in Canadian criminal law, down from "reasonable grounds to believe." It also authorizes regulations requiring providers to retain categories of metadata for up to one year, and to build interception capability. Privacy Commissioner Philippe Dufresne told committee on May 28 the wording could expose a subscriber's healthcare providers, lawyers, or financial institutions, and urged judicial warrants wherever Canadians retain a reasonable expectation of privacy. Apple, Signal, and NordVPN raised encryption objections, with Signal and NordVPN signalling they could exit Canada. The Canadian Association of Chiefs of Police president, Thomas Carrique, told committee the privacy concerns were "overstated" and that the debate should not overlook victims' rights to safety and justice. C-22 is the standalone successor to the lawful-access provisions originally in the 2025 omnibus Bill C-2, the Strong Borders Act, whose broader warrantless powers were removed in October 2025 after backlash. Separately, Bill C-36 — the government's private-sector privacy modernization — is not expected to take effect until roughly 2030 and transfers private-sector privacy enforcement from the Privacy Commissioner of Canada to a new Cabinet-appointed Digital Safety and Data Protection Commission. This article documents what passed, how fast, who objected, and the gap between the speed of the surveillance bill and the delay on the privacy bill.
The Office of the Privacy Commissioner of Canada is the federal body designed specifically to audit how privacy-affecting government and private-sector practices are conducted. Every recent lawful-access bill in Canada — Bill C-30 (Toews, 2012), Bill C-2 (Strong Borders Act, 2025) — included some statutory role for the OPC in the regime being created. Bill C-22 (Lawful Access Act, 2026) does not. The OPC has no audit role over the bill's one-year metadata-retention requirement, no review role over the Public Safety Minister's secret capability orders, and no complaint jurisdiction over the new regime. The bill instead points to the Intelligence Commissioner as the review body for ministerial orders — a different review body with a different scope. This article walks through what changed between the predecessors and the current bill, and what an OPC role could look like as an amendment.