Bill C-36: The Government Proposes a New Private-Sector Privacy Law

Bill C-36 is the federal government’s latest attempt to modernize Canada’s private-sector privacy law. It would replace the private-sector privacy regime in the Personal Information Protection and Electronic Documents Act (PIPEDA) with a new statute: the Protecting Privacy and Consumer Data Act.

PIPEDA is a 25 year-old statute, and it is showing its age. PIPEDA rests heavily on consent. It gives the Privacy Commissioner limited enforcement powers. It was not designed for artificial intelligence, automated decision systems, inferred data, large-scale profiling, or data flows that take no account of borders.

Bill C-36 keeps some of PIPEDA’s structure and addresses many of its short-comings. It adds stronger rights language. It creates new organizational duties. It expands exceptions to consent. It gives the regulator order-making powers. It adds administrative monetary penalties, offences, and a conditional private right of action. But it also changes the regulator, removing private-sector privacy authority from the Privacy Commissioner's purview and placing it under the authority of a new authority, the "Digital Safety Commission" envisioned by Bill C-34, the Safe Social Media Act. This shift of authority over a right as important and essential as privacy from an independent officer of Parliament to a government-appointed commission is troubling.

The bill is plainly a major renovation of federal privacy law. This short post touches on some of the most significant of these changes - to substantive law, to its enforcement, and to its administration - before concluding with some first thoughts about the Bill's merits and weaknesses.

Substantive law

• New statute. Bill C-36 enacts the Protecting Privacy and Consumer Data Act. It repeals Part 1 of PIPEDA, which is the part that governs private-sector privacy. It renames what remains of PIPEDA the Electronic Documents Act.

• Purpose clause. The bill recognizes individuals’ fundamental right of privacy in relation to their personal information. It also recognizes that organizations need to collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate. The bill therefore keeps the familiar privacy and commerce language without resorting to a balancing metaphor, but gives privacy stronger footing in the law of rights.

• Application. The bill applies to personal information collected, used, or disclosed in the course of commercial activities. It also applies to employee and applicant information connected to federal works, undertakings, and businesses. It reaches interprovincial and international disclosures and transfers of personal information.

• Modern vocabulary. Bill C-36 adds or updates key definitions. These include automated decision systems, children, sensitive information, inferred information, de-identified information, and anonymized information. The inclusion of inferred information is important: modern privacy risks often arise from what organizations predict or derive about people, not just from what people knowingly provide.

• Accountability. Organizations remain responsible for personal information under their control. They must designate an individual responsible for compliance. They must maintain a privacy management program. That program must address policies, practices, complaints, requests, staff training, and public-facing information. The Commission may request access to the program and may recommend corrective measures.

• Appropriate purposes. Organizations may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. This preserves one of PIPEDA’s central safeguards.

• Limits on collection, use, and disclosure. Organizations must not collect more personal information than necessary. They must identify purposes. They must identify new purposes when personal information is to be used or disclosed for a new purpose.

• Consent. Consent remains central. The bill requires valid consent - not "meaningful" consent - prohibits consent obtained by deception, and allows individuals to withdraw consent. The bill adds a much larger set of exceptions.

• Consent exceptions. Bill C-36 includes exceptions for business activities, transfers to service providers, de-identification or anonymization, internal research, analysis and development, prospective business transactions, employment purposes in federally regulated workplaces, witness statements, fraud prevention, debt collection, emergencies, financial abuse, archival purposes, investigations, disclosures to government institutions, legally required disclosures, and prescribed publicly available information.

• Legitimate interests. The bill creates a legitimate-interest exception to consent. An organization may collect, use, or disclose personal information without knowledge or consent if the activity serves a legitimate interest that "outweighs" any reasonably foreseeable adverse effect on the individual. The exception has limits. A reasonable person must expect the collection, use, or disclosure. The organization must not process the information for the purpose of influencing the individual’s behaviour or decisions. It must identify and describe the legitimate interest. It must conduct a privacy impact assessment. It must identify foreseeable adverse effects. It must take reasonable mitigation measures. It must keep records available to the Commission.

• Practical effect of legitimate interests. This is one of the bill’s most important changes. It gives organizations a route for some non-consensual processing. It also avoids pretending that every modern data practice rests on meaningful consent. Reasonable expectations, behavioural influence, adverse effects, mitigation, and privacy impact assessments will likely become central interpretive questions.

• De-identification and anonymization. The bill permits certain uses of personal information to de-identify or anonymize it. It also permits use of de-identified information for internal research, analysis, and development. At the same time, it regulates de-identified information and restricts attempts to identify individuals from that information.

• Individual rights. Bill C-36 strengthens individual rights. It provides rights of access, correction, plain-language information, disposal in specified circumstances, and data mobility through future data mobility frameworks. These provisions move federal privacy law closer to a data-rights model.

• Retention and disposal. Organizations must establish retention and disposal periods. They must retain information used to make a decision about an individual long enough to allow access and challenge. Individuals may request disposal in specified circumstances.

• Security safeguards. Organizations must protect personal information with safeguards appropriate to the sensitivity of the information. They must report breaches of security safeguards to the Commission where the breach creates a real risk of significant harm. They must notify affected individuals and keep breach records.

• Cross-border transfers. Bill C-36 does not require personal information to stay in Canada. It does require organizations to assess privacy implications before disclosing or transferring personal information outside Canada. Organizations must consider whether the information would receive substantially similar protection.

Enforcement

• Order-making powers. Bill C-36 moves federal privacy law away from PIPEDA’s ombudsperson model. The Commissioner may investigate complaints, use dispute resolution mechanisms, conduct audits, enter compliance agreements, and issue notices of contravention. The Commission may make binding decisions and issue compliance orders.

• Compliance orders. Orders may require an organization to take measures to comply with the Act, stop contravening conduct, comply with a compliance agreement, or publish corrective measures. Orders may be filed with the Federal Court and enforced as court orders.

• Administrative monetary penalties. The bill creates administrative monetary penalties. Penalties may reach the greater of $10 million or 3% of gross global revenue. These penalties apply to specified contraventions.

• Offences. Bill C-36 also creates offences with higher fines. For indictable offences, the maximum fine is the greater of $25 million or 5% of gross global revenue. For summary conviction offences, the maximum is the greater of $20 million or 4% of gross global revenue.

• Private right of action. The bill creates a private right of action. It is conditional on prior regulatory or court action: an affected individual may sue for damages only after specified findings, final determinations, appeal outcomes, compliance agreements, or convictions.

• Appeals and review. The bill creates appeal routes from certain decisions. The enforcement model gives the regulator stronger powers, but also builds in procedural checks.

Administrative structure

• New Commission. Bill C-36 situates privacy enforcement within the Digital Safety and Data Protection Commission of Canada. This is a broader institutional model than PIPEDA.

• Commissioner. The bill provides for a Privacy and Consumer Data Commissioner. The Commissioner performs investigative and regulatory functions, including complaints, audits, recommendations, notices of contravention, and related enforcement work.

• Division. The bill also creates a Privacy and Consumer Data Division. The Division has decision-making functions, including roles connected to certification programs, reviews, penalties, and other matters assigned under the Act.

• Regulatory coordination. The Commission may coordinate with other regulators, including the CRTC and the Commissioner of Competition, reflecting the overlap between privacy, competition, telecommunications, online safety, consumer protection, and data governance.

Initial Thoughts

Bill C-36 improves PIPEDA in important ways, but also misses opportinities to strengthen privacy rights.

• Rights language. The recognition of privacy as a fundamental right is welcome. It should provide the legal touchstone for interpretation, enforcement, and remedies. But rights language must be matched by rights-protective machinery. Broad exceptions, weak access to personal remedies, and heavy reliance on a politically appointed regulator could blunt the promise.

• Consent. The bill replaces the standard for consent from "meaningful" to "valid". There is danger here. Consent in privacy law must be more than notice, a website blurb, or legal fiction. It should require real understanding of the implications of a consent request for one's privacy.

• Legitimate interests. A structured legitimate-interest exception is more accurate approach to many privacy issues than pretending implied consent can justify modern data practices. But it must remain narrow. Reasonable expectations, adverse effects, behavioural influence, mitigation, and privacy impact assessments will determine whether this becomes a useful safeguard to legitimate practices or a loophole that drains privacy rights of their value.

• Regulator independence. The institutional design is troubling. Canada should be strengthening its privacy regulator, not downgrading it into a component of a broader digital commission. Privacy needs independent, expert, visible, rights-focused oversight.

• Remedies. The private right of action remains too constrained. Individuals should not have to wait for prior regulatory findings before seeking redress. Rights need remedies, not only regulatory process. While the right appears amenable to enforcement in a class action, statutory damages and clear language permitting class proceedings would improve the bill's ability to vindicate the fundamental rights to privacy it claims to champion.

In many ways, the bill promises Canadians stronger privacy protection than PIPEDA. Whether it will make good on that promise will depend on how the Commission interprets legitimate interests, privacy impact assessments, de-identification, children’s privacy, cross-border transfers, and penalties. And the distinction between "valid" and "meaningful" consent may well prove pivotal.