The Canadian government has introduced Bill C-36, a major privacy reform package that would recognize privacy as a fundamental right, expand consumer control over personal information, strengthen protections for children's data, and create a new regulator with the power to impose penalties of up to 5% of a company's global revenue.
Announced on June 15 by Innovation, Science and Economic Development Canada, the proposed Protecting Privacy and Consumer Data Act (PPCDA) would modernize the country's private-sector privacy framework and replace key portions of the Personal Information Protection and Electronic Documents Act (PIPEDA). The legislation is a central component of Canada's recently announced AI for All strategy, which aims to balance AI adoption with stronger privacy safeguards.
The PPCDA would introduce several new rights and obligations for organizations handling personal information. Canadians would gain the ability to request deletion of their personal data in certain circumstances, receive clearer explanations about how their information is used, and benefit from stronger consent requirements. The bill also includes data portability provisions that would allow consumers to transfer their information between organizations under approved frameworks.
The reforms place particular emphasis on children's privacy. Organizations would be required to treat children's personal information as sensitive data and meet higher standards when collecting, using, or disclosing it.
The legislation also addresses growing concerns around AI and automated decision-making systems. Organizations would face new transparency requirements when using automated systems, including AI-powered tools, and would be expected to explain how those systems affect individuals.
Another notable provision targets potentially harmful uses of personal information, including surveillance pricing, whereby companies use customer data to tailor prices. The government says organizations must ensure personal information is used responsibly and for appropriate purposes, though the legislation does not explicitly prohibit the practice.
The proposal would also introduce stronger requirements around data security and cross-border data transfers. Organizations would need to assess and mitigate privacy risks before sending personal information outside Canada and ensure service providers maintain appropriate safeguards.
As part of Bill C-36, the government plans to establish a new Digital Safety and Data Protection Commission of Canada to oversee both the PPCDA and the proposed Digital Safety Act. A dedicated Privacy and Consumer Data Commissioner would lead privacy investigations and enforcement within the agency.
The Commission would have authority to issue binding compliance orders and levy administrative monetary penalties of up to CAD $10 million or 3% of global revenue, whichever is greater. For the most serious violations, fines could reach CAD $25 million or 5% of global revenue.
If passed in its current form, organizations operating in Canada will need to review consent practices, data retention policies, AI governance programs, privacy impact assessments, and international data transfer procedures to meet the new requirements.
Bill C-36 will now proceed to parliamentary review, where lawmakers and stakeholders are expected to debate its privacy protections, enforcement structure, and impact on businesses.
Leave a Reply