Canada’s private sector privacy law is more than 25 years old and there is broad consensus that a modernization is long overdue. Bill C-36, tabled on Monday, is the government’s third attempt at updating the law, following the failed efforts with Bill C-11 in 2020 and Bill C-27 in 2022. My first post on the new bill focused on what I think remains both the most important development and the biggest mistake: the decision to push the Privacy Commissioner of Canada out of private-sector privacy and to place the file with an overloaded digital safety commission. For years, privacy critics have argued that, given the absence of order-making powers or serious penalties, Canada’s biggest shortcoming has been weak enforcement. Yet just as the government adds much-needed new rights and penalties to the privacy law framework, it undermines enforcement once again by introducing a new regulator that will take years to establish. The consequence is that, rather than updating the law for 2027, it is updating it for 2030 or later.
Archive for June 18th, 2026

Law Bytes
Episode 275: David Loukidelis on Why Stripping Privacy Enforcement from Canada’s Privacy Commissioner in Bill C-36 is Unnecessarily Risky Policy
byMichael Geist

June 22, 2026
Michael Geist
Search Results placeholder
Michael Geist on Substack
Recent Posts
Blocked Twice: How Bill C-34’s Kids’ Social Media Ban Would Compound the Online News Act’s Harm to Young Canadians’ News Access
The Law Bytes Podcast, Episode 275: David Loukidelis on Why Stripping Privacy Enforcement from Canada’s Privacy Commissioner in Bill C-36 is Unnecessarily Risky Policy
The Data on Australia’s Social Media Ban: The Better the Privacy Protection, The Less Effective the Ban
Shaky Ground Gets Shakier: What the U.S. Supreme Court’s Location Data Decision Means for Bill C-22
The Two Weeks That Reshaped Canada’s Digital Policy

