Canada’s 2026 privacy priorities: data sovereignty, open banking and AI Canada’s 2026 privacy priorities: data sovereignty, open banking and AI

Over the past several years, the focus has been on reshaping privacy legislation at the federal and provincial levels in Canada. While this foundational reform is expected to continue, we also expect the privacy and data landscape in 2026 to be meaningfully shaped by non-legislative tools. These include government strategic policy, non-binding industry standards and regulatory guidance and rigorous oversight from regulatory authorities.

We also expect a more specific focus on “data sovereignty” measures across a range of Canadian statutes, regulations and policies, particularly as geopolitical concerns intensify in light of ongoing tariff and trade tensions with the United States.

The following is a snapshot of key developments we anticipate in 2026 and beyond.

Data sovereignty

We expect the concepts of data sovereignty and digital sovereignty to continue to figure prominently in 2026. The federal government released its Digital Sovereignty Framework in November. This Framework outlines key procurement, supply and technical controls — at a policy level — to strengthen institutional control over federal government data and information systems. The recently released federal budget has also built on the national Sovereign AI Compute Strategy by committing significant investment [PDF] over five years towards “sovereign AI infrastructure.” 

Given the need for data sovereignty from the perspectives of national security, cybersecurity, privacy and economics, we expect policy and consultation discussion to occur at the federal and provincial government levels about appropriate measures to mitigate risk arising from foreign-based access to Canadian data. Beyond data localization efforts, which have generally been ineffective as we discuss in our Osler Update and our Osler Legal Outlook article, there has been growing interest in more nuanced and agile tools.

Upcoming data sovereignty initiatives may take the form of legislation, such as risk-based data transfer assessments, regulation or other policy instruments. These may be targeted at particular industries or sectors. Alternatively, they may apply generally to certain classes of data, including sensitive types of personal information. Technical and contractual measures, as well as procurement policies, can also be useful mechanisms.

For an in-depth conversation about emerging data sovereignty considerations, featuring international data policy experts, please see the recording of the AccessPrivacy Monthly Privacy Call from November 12, 2025.

Overhauling federal private sector privacy legislation

The recent federal budget announcement signaled that a new federal private sector privacy statute and a companion bill establishing a tribunal to administer a penalty-based enforcement regime are expected to be introduced in late 2025 or early 2026. The previous federal government’s proposed legislation to replace the Personal Information Protection and Electronic Documents Act (PIPEDA) and establish the Consumer Privacy Protection Act (CPPA) died on the order paper in January 2025.

The proposed statute is expected to include potentially severe penalties, including the possibility of fines of up to the greater of C$25 million or 5% of gross global revenue, as well as other provisions reflected in the prior version of the CPPA contained in Bill C-27. It is also expected to incorporate measures addressing data sovereignty. The Minister has publicly identified children’s privacy and emerging technologies — such as AI-generated “deepfakes” — as priority areas to be addressed.

In addition, as noted below, the recently introduced Budget 2025 Implementation Act, No. 1 (Budget Implementation Act) proposes amendments to PIPEDA to introduce a data mobility right intended to support an economy-wide approach to data sharing.

Federal AI strategy 

The previously proposed Artificial Intelligence and Data Act (AIDA) died on the order paper in January 2025. The current federal government has indicated that it will seek to regulate the design, development and deployment of AI technologies through privacy legislation, policy and investment, rather than overarching AI-specific legislation.

We expect the new Ministry of Artificial Intelligence and Digital Innovation to continue rolling out its multi-faceted strategy to “position Canada at the forefront of the AI revolution.” The strategy involves initiatives such as the Safe and Secure AI Advisory Group, the Canadian Sovereign AI Compute Strategy, the AI Safety Institute and the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. It also entails the commitment of targeted funding. 

In connection with the new AI Strategy Task Force, the federal government held a public engagement “sprint” in October 2025 to support its development of a renewed national AI strategy. Expected in late 2025, the renewed strategy will likely continue to rely on policy mechanisms, rather than comprehensive legislative or regulatory reform, to address the government’s priorities for supporting the growth of trustworthy AI systems in Canada. 

As part of the public engagement process, AccessPrivacy hosted an interactive workshop focused on the theme of building safe AI systems and strengthening public trust in AI, and submitted a copy of the recording to Innovation, Science and Economic Development Canada (ISED) [PDF].  

Implementing Canada’s open banking framework

Over the next 18 months, we can expect significant progress towards implementing Canada’s open banking framework. In June 2024, the federal government passed the Consumer-Driven Banking Act (CDBA). The CDBA aims to create a framework to enable consumers, including small businesses, to securely share prescribed types of financial data among defined “participating entities.” At the same time, the framework seeks to foster competition in the financial sector in the interests of consumers.

Consistent with its commitment in the 2025 budget, the federal government introduced amendments to the CDBA in the Budget Implementation Act to complete the open banking framework. The federal government has signaled its intention to move the CDBA amendments through the legislative process on an accelerated basis.

In essence, the CDBA sets out a structure for data portability. Notably, in the Budget Implementation Act, the government also proposed complementary amendments to PIPEDA to establish an interoperable data mobility regime, which adds a data portability right to existing individual access rights under the statute. The PIPEDA data mobility amendments will give individuals the right to request that prescribed organizations, such as banks, provide specified personal information (e.g., financial data), in a structured, commonly used technological format, to another person or organization authorized to receive the information.

In 2026, we anticipate the federal government will prioritize the development of regulations under PIPEDA, as contemplated by the proposed amendments, to operationalize the data mobility framework. These regulations will, among other things, set out security safeguards and interoperability standards for the permission-based secure sharing of prescribed data and provide for exceptions to the disclosure requirement.

Provincial privacy legislative reform

Alberta’s legislative committee tasked with reviewing the province’s Personal Information Protection Act (PIPA) completed its report in February 2025 [PDF]. We expect Alberta’s legislature to announce material amendments to PIPA in 2026 based on the committee’s 12 recommendations, which include introducing specific obligations regarding children’s privacy, creating a penalty-based enforcement regime and defining obligations regarding de-identified and anonymized data. 

Following the recent overhaul of Québec’s health privacy regime in 2024, we expect significant discussion over the coming years in other provinces about the modernization of health privacy statutes. We expect these conversations, which will involve governments and health ministries across Canadian jurisdictions, to focus on legislative amendments, regulations and policy tools to facilitate the respectful leveraging of data to improve the delivery of healthcare services.

Ontario, Alberta and Nova Scotia passed significant reforms to public sector privacy and access legislation in 2024 and 2025. In the coming years, we expect other provincial governments to contemplate trends from this recently amended or introduced legislation, including enhanced requirements for public institutions to conduct privacy impact assessments and report data breaches.

New cybersecurity requirements for critical infrastructure   

In 2025, the federal government introduced a bill regarding critical infrastructure cyber systems which is functionally identical to the previous session’s Bill C-26. If passed, Bill C-8 will establish a new federal framework governing the cybersecurity of Canada’s critical infrastructure. The legislation will designate certain organizations as operators of “critical cyber systems” and require them to implement formal cybersecurity programs, address risks arising from their supply chains and third-party technologies, and report cybersecurity incidents that meet prescribed thresholds. Bill C-8 will grant a range of federal regulators broad inspection, audit and order-making powers. Such powers will include the ability to direct operators to cease non-compliant activities or undertake specific corrective measures.

If enacted, Bill C-8 will have meaningful impacts across sectors deemed critical to national security and economic stability. Affected organizations will face heightened cybersecurity expectations, requiring more mature governance, risk management and operational safeguards. Supply chain and vendor oversight will become more stringent, likely necessitating enhanced due diligence, contractual protections and continuous monitoring of third-party dependencies. Incident reporting and regulatory transparency obligations will increase, potentially triggering follow-up reviews or mandated remediation. Boards and senior leaders will see expanded compliance obligations, including greater accountability for cybersecurity readiness, assurance processes and resource allocation.

Overall, Bill C-8 will materially elevate the regulatory baseline for cybersecurity in Canada, driving more proactive risk management and stronger oversight of the systems that support critical national infrastructure. Given that the previous Bill C-26 completed third reading and only failed to receive Senate approval due to a drafting error, we expect the current form of Bill C-8 to be passed without significant amendment in 2026. 

Looking forward

Given the expected introduction of a variety of new privacy and data legislative frameworks, including a new federal private sector statute that will likely include strong enforcement mechanisms, it is critical that companies doing business in Canada have a thorough understanding of their personal information and data practices and implement documented internal governance obligations. Targeted legislation, particularly with regard to critical infrastructure and open banking, will introduce specific obligations for certain sectors and industries. 

More broadly, we expect geopolitical developments to shape lawmakers’ and regulators’ priorities across Canadian jurisdictions. Organizations should expect these conversations and developments, particularly with regard to data sovereignty and AI, to have a significant impact on the business, legal and policy landscapes in Canada.