Executive summary
On June 15, 2026, the Government of Canada introduced Bill C-36, An Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (Bill C-36), in the House of Commons at first reading. If enacted, the Protecting Privacy and Consumer Data Act (PPCDA) will repeal Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and establish a modernized federal private-sector privacy regime for Canada.
The PPCDA is the third iteration of federal privacy reform legislation following Bill C-11 (2020) and Bill C-27 (2022), both of which died on the order paper. It is substantially similar to the Consumer Privacy Protection Act (the CPPA) proposed in Bill C-27 but includes several notable updates, including a new enforcement framework centred on the Digital Safety and Data Protection Commission of Canada.
This overview summarizes the PPCDA and identifies the principal differences between the PPCDA and PIPEDA as well as between the PPCDA and the CPPA.
Status note
This document describes Bill C-36 as introduced at first reading in the House of Commons on June 15, 2026. The legislation may be amended as it proceeds through the parliamentary process. It does not constitute legal advice and should not be relied upon as a substitute for obtaining legal advice specific to your organization’s circumstances.
Key themes
The PPCDA retains PIPEDA’s consent-based, principles-based, technology-neutral regime grounded in balancing individual privacy rights and organizational interests, while introducing
- a substantially strengthened enforcement regime, with administrative monetary penalties (AMPs) of up to the higher of $10 million or 3% of gross global revenues, penal fines for offences of up to the higher of $25 million or 5%, a private right of action and order-making powers
- a new regulatory model under the Digital Safety and Data Protection Commission of Canada, replacing the Office of the Privacy Commissioner (the OPC)
- clarified and expanded exceptions to consent, including for defined business activities and legitimate interests
- express provisions on de-identified and anonymized information
- a mandatory privacy management program
- codified service provider rules and cross-border transfer requirements, including a new privacy impact assessment obligation before disclosing or transferring personal information outside of Canada
- statutory recognition of codes of practice and certification programs
- new individual rights: disposal (deletion/anonymization) and data mobility
- enhanced protections for children’s personal information
- transparency requirements regarding automated decision systems
About Osler’s Privacy and Data Management Group
Osler has the largest team of practitioners who focus on privacy and data management in Canada. Our team is comprised of acknowledged leaders in the privacy arena, and our Group is consistently recognized by industry-leading publications, including the only Band 1 ranking in Chambers Canada for Privacy and Data Protection.
We provide advice on the increasingly complex rules and the broad range of privacy and data-governance issues arising from the collection, use, disclosure and management of personal information. Our fully integrated team is uniquely positioned to provide a comprehensive service offering that includes high-stakes legal services and innovative online privacy information solutions. We are acknowledged leaders in complex data governance, cybersecurity incident response, and emerging, high-value areas such as data analytics and AI regulation.
Through our innovative AccessPrivacy by Osler thought leadership offering, we provide a series of information products and solutions for Chief Privacy Officers, in-house privacy counsel and privacy compliance professionals. Our offerings include a complimentary Monthly Privacy Call that provides updates on emerging privacy and related developments in the Canadian privacy and data arena, privacy in the courts quarterly updates, and an on-line subscription-based platform. Our monthly call has thousands of subscribers across the private, health and public sectors, and is relied upon by many organizations as a regular part of their privacy awareness.
