Summary
On June 15, 2026, the federal government introduced Bill C-36, An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (“Bill C-36”). If passed, Bill C-36 would enact the new Protecting Privacy and Consumer Data Act (the “PPCDA”), repeal Part 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and rename the remaining statute the Electronic Documents Act. The proposed PPCDA would represent the most significant reform to Canada’s federal private-sector privacy regime since PIPEDA was enacted in 2000.
Bill C-36 is also connected to the federal government’s proposed digital safety framework. In particular, it would establish the Digital Safety and Data Protection Commission of Canada (the “Commission”), which would have responsibilities under both the proposed PPCDA and the Digital Safety Act introduced through Bill C-34.
Bill C-36 is the federal government’s latest attempt to modernize Canada’s private-sector privacy framework, following earlier reform efforts under Bill C-11 and Bill C-27. Bill C-36 is currently before Parliament and may be amended before it becomes law.
Key Proposed Changes
Expanded Compliance Obligations
The PPCDA would replace PIPEDA as the primary federal privacy statute governing the collection, use and disclosure of personal information in the course of commercial activities, including by federally regulated employers in relation to employee personal information.
Notable proposed changes include the following:
- Automated decision systems: Bill C-36 would introduce more specific transparency obligations where an organization uses an “automated decision system” to make predictions, recommendations or decisions about an individual that could have a significant impact on them.
- Privacy management programs: Bill C-36 would build on PIPEDA’s accountability requirements by creating a more express obligation to maintain a privacy management program, supported by documented policies, procedures, training, and complaint-handling processes.
- Deletion rights: Bill C-36 would create a more express statutory right for individuals to request that an organization dispose of personal information it has collected from them, subject to defined exceptions. This is sometimes described as a deletion right or a “right to be forgotten,” although it would not be an unrestricted right to erase all personal information in all circumstances.
- Service providers: Bill C-36 would expressly permit organizations to transfer individuals’ personal information to a service provider without their knowledge or consent, while preserving the general principle that an organization remains accountable for personal information handled on its behalf.
- Privacy impact assessments and children’s personal information: Bill C-36 would introduce an express privacy impact assessment requirement in certain circumstances and would require organizations to give heightened attention to children’s personal information, including by treating children’s information as sensitive and considering the best interests of children in relevant contexts.
New Regulator and Enforcement Powers
Bill C-36 would also establish a new oversight model. Rather than expanding the role of the Office of the Privacy Commissioner of Canada under PIPEDA, the Bill would transfer federal private-sector privacy oversight to the proposed Commission. The Commission would also be responsible for administering the proposed federal digital safety regime under Bill C-34’s Digital Safety Act. As a result, while Bill C-36 would introduce stronger enforcement tools, it would also move private-sector privacy enforcement away from the existing specialist privacy regulator and into a broader, newly created digital regulator.
The proposed Commission would have order-making powers and the ability to impose administrative monetary penalties for certain contraventions. In response to contraventions under the proposed PPCDA, the Commission would be able to impose significant penalties:
- Administrative monetary penalties of up to the greater of $10 million and 3% of an organization’s gross global revenue in its previous financial year for enumerated contraventions.
- Fines of up to the greater of $25 million and 5% of gross global revenue for enumerated offences.
Implications for Employers
If enacted, Bill C-36 would affect federally regulated employers and other organizations presently subject to PIPEDA. Although the proposed PPCDA largely builds on existing PIPEDA obligations, employers should expect a more prescriptive and enforcement-oriented compliance environment.
For employers, the proposed changes would be most significant where workplace privacy practices involve technology-assisted decision-making, third-party HR service providers, long-term retention of employee or applicant information, or higher-risk processing of personal information.
Employers should consider taking the following steps if Bill C-36 proceeds:
- Review workplace privacy governance, including privacy policies, procedures, training, complaint-handling processes, recordkeeping and oversight of service providers. As part of this review, employers will need to ensure they have a compliant privacy management program.
- Assess the use of automated decision systems in recruitment, applicant screening, productivity monitoring, performance management, discipline, workplace investigations and other employment-related decisions.
- Review retention and deletion practices for personnel files, applicant records, investigation materials, monitoring data and former-employee records.
- Consider whether privacy impact assessment processes may be required or advisable for higher-risk workplace privacy activities.
Need More Information?
For more information concerning Bill C-36, PIPEDA, or workplace privacy obligations more generally, contact Spencer Knibutat at sknibutat@filionlaw.com or your regular lawyer at the firm.