Bill C-36: How Canada Plans to Replace PIPEDA

By Rodrigo Lamadrid 9 July, 2026

Bill C-36 was introduced on June 15, 2026 by Canada’s Minister of Artificial Intelligence and Digital Innovation. This is an overhaul of Canada’s federal private-sector privacy law in over two decades.

If passed, it would replace the privacy provisions of PIPEDA, create a more powerful regulator, and raise penalties substantially, bringing Canada closer to the GDPR-style enforcement common among its trading partners.

In this article, we’ll explain what would change, how it compares to present-day law, and how Mindsec can help organizations like yours prepare for this paradigm shift in the meantime.

What Is Bill C-36?

This new bill would enact the Protecting Privacy and Consumer Data Act (PPCDA), repealing the privacy provisions of the current law and renaming its remaining provisions as a standalone Electronic Documents Act.

It is the third attempt at this kind of reform in six years, after Bill C-11 (2020) and Bill C-27 (2022) both died before becoming law when Parliament was dissolved.

Unlike Bill C-27, which bundled privacy with a broad AI regulation regime, Bill C-36 deals only with privacy, leaving AI-specific rules to separate legislation still in the works.

Its scope stays close to PIPEDA’s: private-sector organizations engaged in commercial activity across Canada, plus federally regulated employers and any foreign organization handling Canadians’ personal information.

How Bill C-36 Differs From PIPEDA

The baseline consent rules stay broadly similar to what current law requires. The more significant changes are in how organizations must document and prove compliance:

  • Privacy management programs become mandatory, with documented policies, safety measures, and a named point of accountability.
  • A “legitimate interest” exception would let organizations use personal information without consent for specific purposes. But only if the interest outweighs the impact on the individual and the assessment is documented.
  • A separate “business activity” exception also exists. It would cover things like providing a requested service, ensuring system security, or preventing fraud, without needing consent for each one.
  • Automated decision systems (machine learning, predictive analytics, etc.) would trigger a right for individuals to request a plain-text explanation of what affects them.
  • Children’s personal information would be treated as sensitive by default, with stricter handling rules.
  • Cross-border transfers will require a documented Privacy Impact Assessment (PIA) before personal information leaves Canada.
  • A formal deletion right would let individuals request that an organization dispose of their personal information.
  • “De-identified” information would be formally distinguished from “anonymized” information (with de-identified data staying subject to the Act’s protections).

In practice, this shifts the compliance model from broad principles that organizations interpret themselves, to a more prescriptive, documentation-heavy regime closer to GDPR

Bill C-36 also keeps most of PIPEDA’s existing 10 fair information principles as its baseline, rather than discarding them.

The New Regulator: Digital Safety and Data Protection Commission

Rather than expanding the existing Office of the Privacy Commissioner, private-sector privacy oversight would move to a new body: the Digital Safety and Data Protection Commission of Canada.

This Commission would also oversee the separate Digital Safety Act created by Bill C-34, combining privacy and online-safety enforcement under one regulator.

It would have audit powers, binding compliance orders, and the ability to impose penalties directly against non-compliant organizations, without needing a court referral like nowadays.

Enforcement would start with a notice of contravention from the Commissioner, a review by the Commission, and further appeal available to the Federal Court.

This layered structure is closer to how the Competition Bureau enforces its own orders and penalties than to the complaint-driven model used today.

Penalties Under Bill C-36

This is the biggest contrast with the current law. Administrative monetary penalties would reach the greater of $10 million CAD or 3% of an organization’s global gross revenue (a figure with no equivalent under PIPEDA today).

For the most serious of violations (knowingly breaching the reporting duties or a Commission order), penalties on indictment could reach the greater of $25 million CAD or 5% of global gross revenue. This is several times higher than the current law’s.

Bill C-36 would also let individuals sue directly for damages in court after finding contravention by the Commission. This is something the current law doesn’t currently allow anywhere in Canada.

Timeline: Where It Stands Now

The bill was first read on June 15, 2026. Parliament rose for the summer on June 18, with Second Reading debate expected to begin in the fall sitting, when opposition parties are expected to push amendments on the enforcement timeline.

It’s still an early-stage bill and may still be amended before passing. Its coming into force would also depend on Bill C-34 taking effect first, since the two share a single regulator.

Until it passes, PIPEDA remains the law in force, and organizations must continue to comply with it as it stands today, without waiting for the new legislation to take effect first. 

This is something Mindsec can help you with: to comply with PIPEDA now and transition into C-36 once it comes into effect.

Bill C-36 Canada Explained in Brief

These are the four things you must take away from this Bill C-36 Canada Explained overview:

  • The Bill would replace the current privacy law’s provisions with a new law (the PPCDA). But until then, the current law remains in full force.
  • It creates a new, more powerful regulator with direct penalty powers, instead of relying on the Federal Court.
  • Penalties would jump from a $100,000 CAD ceiling to as much as $25 million CAD or 5% of global revenue.
  • It hasn’t passed yet. As of this writing, it has only cleared first reading in the House of Commons.

Frequently Asked Questions

Is Bill C-36 Still in Effect in Canada?

It’s not yet in effect. As of this writing it has only received first reading and is awaiting Second Reading debate; it has no legal force until it receives Royal Assent and its provisions are brought into force by order in council.

PIPEDA, the law it would replace, remains fully in effect and enforceable in the meantime. Organizations should keep treating it as their compliance baseline.

Has Bill C-36 Passed?

No, Bill C-36 has not passed yet and remains far from final. 

It must still clear the remainder of Second Reading debate, detailed committee study clause by clause, Third Reading in the House of Commons, and then the full legislative process all over again in the Senate before it can finally receive Royal Assent.

Given that both Bill C-11 and Bill C-27 died at earlier legislative stages than this, its passing is not guaranteed either. Though the government has publicly signaled this is a priority file for the fall legislative sitting that begins in September 2026.

Committee study is typically where the most substantive amendments happen, involving expert witnesses, stakeholder submissions, and clause-by-clause review. So the final version may differ in material ways from the text originally introduced in June 2026.

What Is Bill 36 Canada?

“Bill 36 Canada” and “Bill C-36” refer to the same bill; the “C” denotes it originated in the House of Commons, unlike a Senate bill, which carries an “S” prefix.

Bill numbers are also reused across Parliamentary sessions, so a search for an older bill with the same number may surface unrelated legislation from a previous sitting.

What Organizations Should Do While Bill C-36 Moves Through Parliament

Formal guidance is pending, but that is no reason to wait. A few steps are worth taking now:

  • Keep meeting your current PIPEDA obligations. Nothing changes until it receives Royal Assent and comes into force.
  • Start documenting a formal Privacy Management Program now, since the new law would make this a real requirement, not an implied one.
  • Review contracts and vendor relationships involving cross-border data transfers, given the incoming PIA requirement. We simplify keeping track with external vendors and suppliers with our Third-Party Risk Management tool.
  • If you use automated decision-making tools on individuals’ data, prepare plain-language explanations of how those systems work.
  • Treat children’s data as sensitive information from today.
  • Watch for committee amendments once Second Reading debate begins in the fall, since the bill’s specifics may still shift before Royal Assent.

Mindsec Helps You Comply with PIPEDA and Transition To Bill C-36

Mindsec is an all-in-one compliance automation platform that helps organizations build and document the privacy and security programs that regulators demand. We support PIPEDA, ISO 27001, NIST CSF, SOC 2, and a dozen more frameworks.

What makes Mindsec unique is our collection of features designed to remove friction and make compliance as simple, fast, and automated as possible:

  • Simplified requirements and evidence collection for each regulation
  • Cross-mapping across a dozen of domestic regulations and international certifications like ISO, GDPR, NIS2, and Loi 25, that helps you comply with multiple/all of them with the same piece of evidence.
  • Real-time control, alert, and threat monitoring
  • Internal Risk Self-Assessment tool for risk mitigation and remediation
  • Built-in Third-Party Risk Management tool to keep track of all vendors, suppliers, contracts, and privacy posture with each.
  • Built-In Cybersecurity Training modules and in-platform evaluation for your team.

Book a 15-minute demo to see how Mindsec keeps your organization ready for what comes next.

Rodrigo Lamadrid

Mindsec staff

Why Stall? Book A Call

Need to comply with PIPEDA Canada, Bill C-36, and other regulations? Book a call with our team and learn how we streamline this for you.

See Mindsec in action