Canada’s private sector privacy law is more than 25 years old and there is broad consensus that a modernization is long overdue. Bill C-36, tabled on Monday, is the government’s third attempt at updating the law, following the failed efforts with Bill C-11 in 2020 and Bill C-27 in 2022. My first post on the new bill focused on what I think remains both the most important development and the biggest mistake: the decision to push the Privacy Commissioner of Canada out of private-sector privacy and to place the file with an overloaded digital safety commission. For years, privacy critics have argued that, given the absence of order-making powers or serious penalties, Canada’s biggest shortcoming has been weak enforcement. Yet just as the government adds much-needed new rights and penalties to the privacy law framework, it undermines enforcement once again by introducing a new regulator that will take years to establish. The consequence is that, rather than updating the law for 2027, it is updating it for 2030 or later.
Archive for June 18th, 2026
Recent Posts
One Step Forward, Two Steps Back: Bill C-36 Modernizes Canada’s Privacy Law, Then Delays It to 2030 
Gary Anandasangaree’s Vic Toews Moment Shows the Government Has Lost Its Way on Lawful Access 
Government Moves to Shut Down Lawful Access Hearing In Order To Fast Track Passing the Bill This Week 
Canada’s Digital Super-Regulator: Bill C-36 Pushes Out the Privacy Commissioner and Hands Private Sector Privacy to an Overloaded Commission 
The Commission: How Bill C-34 Creates an Internet Super-Regulator That Will Touch the Lives of Millions of Canadians
