From the journal

Canada Introduces Bill C-36 to Replace PIPEDA with New Privacy Law, June 2026

On 15 June 2026, the Canadian Minister of Artificial Intelligence and Digital Innovation introduced Bill C-36, the Protecting Privacy and Consumer Data Act, to replace PIPEDA as the federal private-sector privacy statute. The bill establishes a Digital Safety and Data Protection Commission with penalties up to CAD 25 million or 5% of global revenue, introduces explicit deletion rights for AI-generated deepfakes, and imposes heightened requirements for children's data.

2 min read

On 15 June 2026, the Government of Canada introduced Bill C-36, An Act to enact the Protecting Privacy and Consumer Data Act (PPCDA), in the House of Commons on first reading. The bill is Canada's third federal attempt to replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), following the failed Bill C-11 (2020) and Bill C-27 (2022). The Minister of Artificial Intelligence and Digital Innovation tabled the bill, which codifies privacy as a fundamental right in federal legislation for the first time.

The PPCDA would transfer private-sector privacy complaint handling and enforcement from the Office of the Privacy Commissioner to a new Digital Safety and Data Protection Commission of Canada. Administrative monetary penalties would be set at up to CAD 10 million or 3% of global annual revenue (whichever is greater) for standard violations, and up to CAD 25 million or 5% of global annual revenue for the most serious offences. Organizations must obtain meaningful and specific consent for personal data processing. Consumers gain an explicit right to request deletion of their personal information, covering AI-generated deepfakes created using their likeness.

Organizations that collect, use, or disclose personal information of Canadian users must review consent mechanisms, data retention schedules, and technical deletion capabilities before the PPCDA comes into force. Businesses processing children's data must adopt age-appropriate design standards and additional safeguards. AI developers and deployers whose systems generate synthetic personal information, including deepfake audio or video using an identified individual's likeness, face specific deletion obligations on request.

Bill C-36 has yet to pass second reading; the timeline for Royal Assent and the Act's in-force dates remain undetermined. Several PPCDA provisions overlap with Quebec's Act respecting the protection of personal information in the private sector (Law 25), which has been in force since September 2023, creating potential dual-compliance obligations for organizations operating across Canadian provinces. Alignment between the new Commission and the existing Office of the Privacy Commissioner mandate in the public-sector context will require further clarification as the bill progresses.

Licentium advises technology companies and multinational businesses on Canadian and international privacy law compliance. Organizations preparing for Bill C-36 are invited to contact us. Work we undertake includes PIPEDA-to-PPCDA gap analysis, consent mechanism design, AI governance reviews, children's data compliance programmes, and multi-jurisdictional Canadian privacy structuring.

Source: Canada.ca, Government of Canada introduces legislation to Protect Canadians' Privacy in the Digital Age, 15 June 2026

AI Regulatory

More from the journal

See all

FinCEN and Banking Agencies Propose CIP Rules for Stablecoin Issuers, June 2026

On 22 June 2026, FinCEN, the OCC, the Federal Reserve, the FDIC, and the NCUA issued a joint notice of proposed rulemaking requiring permitted payment stablecoin issuers to establish customer identification programs under the GENIUS Act. Covered issuers must collect name, date of birth, address, and taxpayer identification number for each account holder, retaining records for five years. Comments are due 21 August 2026.

China Regulates AI Companion Services, Banning Minor Access, Effective 15 July 2026

On 10 April 2026, five Chinese government authorities jointly issued the Interim Measures for the Administration of Artificial Intelligence Anthropomorphic Interaction Services, effective 15 July 2026. The Measures prohibit AI virtual companion and virtual relative services for minors, require algorithm filing and security assessment for covered providers, and mandate addiction-detection mechanisms. Providers serving children under 14 must obtain explicit guardian consent and implement supervised usage controls including spending restrictions and usage duration limits.

UK Applies Russia Sanctions to Crypto Exchanges Under Regulation 17A, 26 May 2026

On 26 May 2026, the UK Office of Financial Sanctions Implementation applied Regulation 17A(2) of the Russia (Sanctions) (EU Exit) Regulations 2019 to designated crypto-asset exchanges for the first time, sanctioning 18 entities including HTX (formerly Huobi). UK financial institutions and virtual asset service providers are prohibited from processing transfers with designated exchanges. HTX is alleged to have channeled over USD 1.5 billion to Russian counterparties.