Canada Tables Bill C-36 to Replace PIPEDA: What the Privacy Reform Bill Would Change

Information last verified on June 20, 2026.

Status: Developing. Bill C-36 received first reading on June 15, 2026 and is awaiting second reading in the House of Commons. It is a proposed law, not an enacted one. Nothing in the bill is in force, and its contents can change as it moves through Parliament. PIPEDA remains the governing federal private-sector privacy statute as of this writing.

Canada has reopened one of the longest-running files in its digital policy: replacing the country's federal private-sector privacy law. On June 15, 2026, the Minister of Artificial Intelligence and Digital Innovation, Evan Solomon, introduced Bill C-36, the Protecting Privacy and Consumer Data Act, and the House of Commons gave it first reading the same day (Parliament of Canada, LEGISinfo).

The stakes are simple to state. Canada's existing federal rulebook, the Personal Information Protection and Electronic Documents Act, dates to 2000 and predates the smartphone, social media, and modern data brokering. The Office of the Privacy Commissioner of Canada describes PIPEDA as the law that "sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada" (Office of the Privacy Commissioner of Canada). That framework is still in force today, and it will stay in force unless and until Bill C-36 passes.

How Canada got here

Bill C-36 is not the first run at this. The previous government's attempt was Bill C-27, formally An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act (Parliament of Canada, LEGISinfo). That package reached committee study in the House of Commons, with its last recorded committee meeting on September 26, 2024, but it never reached report stage, third reading, or the Senate.

Then the legislative clock ran out. Parliament was prorogued in January 2025, and prorogation wipes the slate clean: every bill on the Order Paper dies and committees are dissolved. Bill C-27 was among the casualties, and a federal election later in 2025 pushed reform further down the calendar. The practical result is that the much-criticized PIPEDA, written a quarter-century ago, has continued to govern by default.

Bill C-36 is the response. It revives the core ambition of C-27, modernizing private-sector privacy law, but it makes a deliberate change in scope. The bill leaves out the standalone Artificial Intelligence and Data Act that was the most contested part of the earlier package. That separation of privacy from AI regulation is one of the clearest signals of how the government is trying to get this bill through. For readers who want the broader picture of how privacy and automated systems intersect, see our guide to AI and data privacy.

What Bill C-36 would do

Three features stand out from the bill as introduced. First, it elevates the status of privacy. The Act's purpose section frames privacy as a fundamental right, language privacy advocates and the Commissioner had pressed for in the earlier debate.

Second, it rebuilds the regulator. The bill establishes the Digital Safety and Data Protection Commission of Canada, and within it creates a Privacy and Consumer Data Commissioner and a Privacy and Consumer Data Division. According to the bill text, the new Commission would be able to issue orders and impose administrative monetary penalties, a meaningful step up from PIPEDA's softer enforcement model in which the Privacy Commissioner could investigate and recommend but had limited power to compel or fine (Parliament of Canada, Bill C-36, first reading).

Third, it foregrounds children. The Privacy Commissioner's statement on the bill specifically welcomed an explicit recognition of the best interests of children, alongside the fundamental-right framing, mandatory privacy impact assessments, and stronger enforcement powers.

The Commissioner's reaction is itself a primary data point. On June 15, 2026, Commissioner Philippe Dufresne said, "I am pleased to see many of my recommendations reflected in the new Bill," and added that "The OPC will be carefully analysing the Bill, and I look forward to providing my views and recommendations to Parliament in due course" (Office of the Privacy Commissioner of Canada). That is a notably warmer opening than the OPC's posture during parts of the C-27 process, though Dufresne is careful to reserve detailed analysis for his formal parliamentary submission.

The province that did not wait: Quebec's Law 25

While Ottawa stalled, Quebec moved. The province's Law 25 overhauled the Act respecting the protection of personal information in the private sector through a staged rollout. The bulk of the new obligations, including mandatory breach reporting, tightened consent rules, and steep penalties, came into force on September 22, 2023.

The final piece arrived a year later. On September 22, 2024, the data portability right came into force. Quebec's privacy regulator, the Commission d'acces a l'information, marked the day plainly: "C'est aujourd'hui qu'entrent en vigueur les dispositions sur la portabilite," meaning the data portability provisions come into force today (Commission d'acces a l'information du Quebec). The right lets any resident obtain the computerized personal information that an organization collected from them, in a structured and commonly used technological format, and have it sent to themselves or to another authorized organization on request.

Law 25 also carries real teeth. The Commission can impose administrative monetary penalties of up to the greater of 10 million dollars or 2 percent of worldwide turnover, with penal sanctions reaching higher still. The contrast with PIPEDA's limited enforcement is exactly the gap Bill C-36 is trying to close at the federal level. Quebec's regime, and how it interacts with employment data and consent, is the kind of detail businesses operating nationally have to track; our guide to employee data privacy covers parallel workplace issues on the US side.

Analysis: Why This Matters

In the view of the Recording Law Editorial Team, the most important thing to understand about Bill C-36 is that it is a bill, not a law. Headlines about "Canada's new privacy law" are premature. As of June 20, 2026, the federal rulebook is still PIPEDA, the same statute that has governed since 2000. Two prior reform efforts have already failed to cross the finish line, so the responsible reading is to treat C-36 as a serious proposal whose details and even survival are not guaranteed.

That said, the design choices are telling. Dropping the standalone AI act is a calculated bet that decoupling privacy from artificial intelligence regulation removes the single biggest source of controversy that bogged down C-27. It narrows the bill to something with broader cross-party appeal. The trade-off is that Canada would modernize its privacy law while leaving its commercial AI framework for another day.

The enforcement shift is the other story worth watching. Moving from a recommend-and-publicize model to a commission that can issue orders and levy administrative monetary penalties would bring the federal regime closer to Quebec's Law 25 and, in spirit, to Europe's GDPR. Whether the penalty ceilings and the new Commission's independence end up strong enough to change corporate behavior will depend on amendments made in committee. For the cross-border context and how Canada's framework compares internationally, see our overview of Canada data privacy laws.

What Happens Next

The immediate milestone is second reading in the House of Commons, where members debate the bill in principle before it can be referred to committee for clause-by-clause study. That committee stage is where C-27 stalled, so it is the natural pressure point to watch. The Privacy Commissioner has signaled he will file formal views and recommendations to Parliament, which typically happens during committee study.

Nothing in Bill C-36 takes effect on introduction. Even if it passes, the Act would set its own coming-into-force schedule, and a new regulator like the Digital Safety and Data Protection Commission of Canada usually needs a transition period to stand up. Until all of that happens, organizations handling Canadians' personal data should continue to comply with PIPEDA federally, and with Law 25 in Quebec, while monitoring the bill's progress as of mid-2026. We will update this explainer as the bill advances.