Canada has unveiled its most ambitious privacy reform in more than two decades, introducing legislation that would recognize privacy as a fundamental right, strengthen consumer control over personal data, increase protections for children, and impose significant new obligations on organizations handling personal information.
While many of the bill’s substantive privacy provisions have been welcomed by experts and regulators, it is the legislation’s dramatic restructuring of privacy enforcement that is generating the most intense debate.
The proposed Protecting Privacy and Consumer Data Act or Bill C-36, would transfer responsibility for enforcing private-sector privacy laws away from Canada’s long-standing independent privacy watchdog and place it under a newly expanded Digital Safety and Data Protection Commission. The move would create a powerful new regulator responsible for everything from online harms and age-verification requirements to privacy investigations, audits, and multimillion-dollar penalties.
Supporters argue the approach could streamline enforcement in an increasingly interconnected digital environment. Critics warn it risks weakening the independence that has long been considered a cornerstone of modern privacy governance.
A fundamental right?
At its core, Bill C-36 modernizes Canada’s private-sector privacy framework.
The legislation would require organizations to obtain meaningful consent before collecting personal information, provide consumers with greater transparency about how their data is used, and establish a right to request deletion of personal information. The bill also introduces stronger protections for children by treating their personal information as inherently sensitive.
AI and Digital Innovation Minister Evan Solomon framed the legislation as part of Canada’s broader strategy to foster trust in emerging technologies while supporting innovation and economic growth.
The bill arrives alongside the government’s wider digital agenda, including the recently introduced Safe Social Media Act and Canada’s AI for All strategy, both of which seek to address concerns about the societal impact of digital technologies and artificial intelligence.
Privacy Commissioner Philippe Dufresne welcomed several aspects of the proposal, particularly its recognition of privacy as a fundamental right, its emphasis on children’s interests, stronger enforcement powers, and new requirements for privacy impact assessments.
But the most consequential aspect of the legislation are not the rights it creates, but who will enforce them.
The rise of Canada’s digital super-regulator
Bill C-36 would significantly expand the mandate of the newly created Digital Safety Commission, renaming it the Digital Safety and Data Protection Commission of Canada and giving it authority over private-sector privacy enforcement.
The new body would oversee both online safety and privacy regulation, including investigations, hearings, audits, compliance orders, and substantial financial penalties. Organizations could face penalties of up to CAD$10 million or three percent of global revenue for non-compliance, while the most serious violations could result in fines reaching CAD$25 million or five percent of global revenue.
This represents a major departure from Canada’s traditional model, where private-sector privacy oversight has been carried out by the Office of the Privacy Commissioner of Canada, an independent Agent of Parliament that reports directly to legislators rather than the government of the day.
According to University of Ottawa law professor Michael Geist, the implications are profound.
As Geist wrote following the bill’s introduction, “removing an Agent of Parliament from private-sector privacy enforcement after decades isn’t something you tuck into a lengthy bill, but rather requires extended public consultation and analysis on how best to ensure Canada has effective privacy enforcement.”
Geist argues that the legislation effectively creates a “digital super-regulator” with responsibilities that extend across online content regulation, age-verification systems, platform governance, and private-sector privacy protection. He has further questioned whether concentrating such broad authority within a single commission could undermine the independence traditionally associated with privacy oversight.
Breaking with international practice
One of the most significant concerns surrounding Bill C-36 is that it appears to diverge from the regulatory structures adopted by many of Canada’s democratic peers.
Across Europe, privacy enforcement under GDPR is carried out by independent data protection authorities that are institutionally separate from online safety regulators. Similar arrangements exist in the UK, where privacy oversight remains with the Information Commissioner’s Office while online safety regulation falls under Ofcom.
Australia has likewise maintained a distinction between privacy regulation and online safety enforcement, with separate authorities coordinating where necessary but remaining institutionally independent.
Geist argues that Canada’s proposed model is unusual because it combines these functions under a single commission. If enacted, Canada would become one of the few major democracies to consolidate privacy enforcement and online harms regulation within the same regulatory body.
That distinction matters because privacy regulators are often expected to act independently not only from private organizations but also from government itself. Many international frameworks, including those in Europe, place considerable emphasis on regulator independence as a prerequisite for effective privacy protection.
Could Canada’s EU adequacy status be affected?
One of the key questions emerging from the bill is whether the enforcement changes could have implications for Canada’s international data-transfer arrangements.
Canada currently benefits from an adequacy determination from the EU, allowing personal data to flow more easily between Canadian organizations and European entities. A core element of the EU privacy framework is the requirement for independent supervisory authorities.
While it remains far too early to determine whether Bill C-36 could affect Canada’s adequacy status, some observers are already asking whether transferring private-sector enforcement powers from an independent parliamentary officer to a Cabinet-appointed commission could invite closer scrutiny from European regulators.
If questions about regulatory independence emerge during future adequacy reviews, the debate could extend beyond domestic politics and into international trade and cross-border data governance.
A potential bellwether for other countries?
The introduction of Bill C-36 is unlikely to trigger an immediate wave of regulatory restructuring elsewhere. Most mature privacy regimes have spent years building independent data protection authorities and strengthening their autonomy rather than consolidating them into broader digital regulators.
However, the legislation may influence policy discussions in jurisdictions wrestling with increasingly overlapping issues such as AI governance, online harms, age assurance, children’s safety, and privacy protection.
Governments worldwide are searching for regulatory models capable of addressing complex digital ecosystems without creating fragmented oversight structures. Canada’s experiment with a single regulator responsible for multiple aspects of digital governance will therefore be watched closely by policymakers, regulators, and privacy professionals internationally.
If the model proves effective, it could encourage other governments to consider more integrated approaches to digital regulation. If concerns about independence, accountability, or regulatory overload materialize, it may instead reinforce the case for maintaining separate privacy and online safety authorities.
The bigger debate
Bill C-36 reflects a broader shift in how governments are approaching digital governance. Rather than treating privacy as a standalone issue, the legislation places it alongside AI regulation, online safety, platform accountability, and consumer protection within a single institutional framework.
Whether that represents modernization or mission creep is the main question. The bill strengthens privacy rights for Canadians and introduces enforcement tools that many regulators have long sought. But its legacy may ultimately be determined less by the rights it creates than by the regulatory architecture it establishes.
As Parliament begins reviewing the legislation in the coming months, the debate is likely to focus not only on how Canadians’ personal information should be protected, but also on who should be entrusted with protecting it. The answer could shape the future of privacy regulation in Canada and potentially influence digital governance debates around the world.
