Canada's Minister of Artificial Intelligence and Digital Innovation, Evan Solomon, introduced Bill C-36 in the House of Commons on 15 June 2026. The bill enacts the Protecting Privacy and Consumer Data Act (PPCDA), which replaces Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). The bill is at the proposed rule stage, having received first reading on 15 June 2026 and now proceeding to second reading and committee study. This is Canada's third attempt to replace PIPEDA; two previous bills (C-11 and C-27) died on the Order Paper.
The PPCDA retains a consent-based structure while granting the new Digital Safety and Data Protection Commission of Canada order-making powers and the authority to impose administrative monetary penalties. The bill creates an expanded private right of action for affected individuals, departing from PIPEDA, under which individuals could only lodge complaints with the Office of the Privacy Commissioner. Provisions governing automated decision-making and profiling align with patterns established in Quebec's Law 25 and reform legislation in other jurisdictions.
AI system operators deploying personal data processing in Canada, including recommendation engines, automated underwriting systems, generative AI products handling user data, and consumer profiling tools, must assess their compliance posture against the PPCDA if the bill is enacted. The Digital Safety and Data Protection Commission replaces the Office of the Privacy Commissioner as the enforcement body for private-sector personal data processing, with broader enforcement tools and penalty authority. Organisations currently operating under PIPEDA must plan transition programmes, though enactment timing depends on parliamentary proceedings.
Bill C-36's automated decision-making provisions and the interaction between the PPCDA and Quebec's Law 25 regime remain areas for committee scrutiny. The bill must clear second reading, committee study, and Senate proceedings before royal assent, introducing timing uncertainty for operators planning compliance investment. The scope of the private right of action, broader than PIPEDA's complaint-only model, may increase litigation exposure for large-scale data processors.
We advise AI system operators, data controllers, and financial institutions on Canadian privacy law compliance and the implications of Bill C-36 for AI-driven data processing. Work we undertake includes PIPEDA-to-PPCDA transition assessments, automated decision-making compliance reviews, privacy impact assessments for AI deployments, and coordination between Canadian and EU/UK privacy and AI regulatory obligations.
Source: Government of Canada, Press Release: Tabling of Bill C-36, 15 June 2026