Canada’s private sector privacy law is more than 25 years old and there is broad consensus that a modernization is long overdue. Bill C-36, tabled on Monday, is the government’s third attempt at updating the law, following the failed efforts with Bill C-11 in 2020 and Bill C-27 in 2022. My first post on the new bill focused on what I think remains both the most important development and the biggest mistake: the decision to push the Privacy Commissioner of Canada out of private-sector privacy and to place the file with an overloaded digital safety commission. For years, privacy critics have argued that, given the absence of order-making powers or serious penalties, Canada’s biggest shortcoming has been weak enforcement. Yet just as the government adds much-needed new rights and penalties to the privacy law framework, it undermines enforcement once again by introducing a new regulator that will take years to establish. The consequence is that, rather than updating the law for 2027, it is updating it for 2030 or later.

I have some additional concerns about the regulatory structure discussed below, but this post focuses primarily on the substance of what is called the Protecting Privacy and Consumer Data Act or PPCDA. The changes fall into three groups: reforms that are genuinely new; a larger set of changes that are welcome but recycled almost intact from the Bill C-11 and Bill C-27 efforts; and a third group that raises significant uncertainty, with key issues left to a regulator or regulations that do not exist.

The government has been emphasizing safeguards for children, and the stronger protections for children in the PPCDA stand out, with a single definition of a child as anyone under 18, the classification of children’s information as sensitive, a best-interests-of-children factor the regulator must weigh, and a higher bar before a child’s request to delete their information can be refused. The bill also provides a statutory definition of sensitive information, an open-ended category linked to a heightened expectation of privacy that expressly captures health, genetic, and biometric data, as well as racial or ethnic origin, political and religious beliefs, and sexual orientation.

There are also new elements linked to artificial intelligence. For example, the definition of personal information now expressly captures information that is inferred about an individual. That is consistent with a recent Globe op-ed I wrote that focused on the privacy implications of AI inference. The bill also adds a right to seek human review of automated decisions that carry a legal or similarly significant effect.

While those are some of the newer additions, there is a larger set of reforms that return from prior proposals. The inclusion of a fundamental right to privacy in the purpose clause is still subject to a balancing act, with its importance potentially overstated (it was not part of the original Bill C-27, but comparable language was added during its committee review). More notably, the bill includes a right to deletion, algorithmic transparency, data mobility, and a conditional private right of action that were part of earlier legislative initiatives. It also revives binding order-making power, administrative penalties of up to the greater of $10 million and three percent of global revenue, and offences reaching five percent of revenue, though the value of these stronger powers is undercut by the change in enforcer.

Consent, often viewed as the foundation of Canadian privacy law, undergoes changes that will take some time to sort out. The bill keeps the existing standard of valid consent, with express consent the default and implied consent the exception. It does not adopt the meaningful consent standard that the Privacy Commissioner has long recommended. At a technical briefing this week, the government nonetheless promoted the reform as delivering meaningful consent, despite the absence of the phrase in the bill itself.

What is more difficult to assess is how and when the PPCDA will work, given several sources of uncertainty. The first is institutional. Placing privacy adjudication inside a commission designed for online harms, and removing the Privacy Commissioner, produces a regulator with some commissioners who are not required to have any privacy expertise and an enforcement process whose internal separation is more formal than real. For example, the commissioner who investigates a complaint and sets the penalty in a notice of contravention is barred from sitting on the review of that notice. However, the bill expressly provides that the other members of the same division that issued it are not disqualified from hearing the review, which is conducted by the same commission that houses the privacy division. In other words, the same commission investigates, sets the penalty, and conducts the review. If there is an appeal, it goes to the Federal Court, but the Supreme Court’s Vavilov decision directs the court to apply appellate standards, which means it reviews the commission’s interpretation of the law for correctness but defers on its findings of fact and its calibration of penalties. Taken together, the PPCDA establishes stronger penalties and enforcement, but shifts the responsibility to a super-regulator with no privacy experience, inconsistent privacy expertise, and a far greater range of responsibilities.

The super-regulator also has less independence than the current Privacy Commissioner with government taking a more assertive role in setting privacy priorities and directing the work of the commission. Given the government’s poor track record on privacy, including Bill C-22, that alone may be a concern. But the bigger issue is less independence for privacy regulation in Canada, which may jeopardize our standing with the European Union and the finding that our law meets the adequacy test.

The bill also relies heavily on regulations that do not yet exist, a habit the government cannot seem to break. For instance, the standard for anonymization will involve a test of no reasonably foreseeable risk of identification in the circumstances, but the details are left to regulation. Since anonymized data falls outside the Act entirely as non-personally identifiable information, the regulation will determine how much information escapes the law altogether. The bill invokes privacy impact assessments for issues such as expanded consent exceptions and the rules for transferring data outside Canada, but they are similarly subject to regulations. Meanwhile, the data portability right does not take effect until the government implements it with regulations and even the legitimate interest exception to consent depends on privacy impact assessments that are still to come.

The same pattern shows up in the government’s headline consumer example on surveillance pricing, which is the practice of using personal data to charge different customers different prices. Yet the bill never mentions surveillance pricing, let alone bans it. It instead relies on the requirement that personal information be collected, used, and disclosed only for purposes a reasonable person would consider appropriate, a test that now applies whether or not consent is required and is backed by penalties, but whose application to pricing is left for the new regulator to define through guidance that has yet to be written.

The interaction between the two sides of the commission also merits a mention as a source of uncertainty. Officials at the technical briefing tried to suggest that there can be a clear delineation between online harms responsibilities and privacy regulatory work. I’m not so sure. At the commissioner level, there is clear overlap, with some non-privacy commissioners called upon to address privacy-related matters, and vice versa. Bill C-34 includes a cost-recovery model that will require social media companies to pay the commission’s operational costs. Officials indicated that no such payments would be required for the privacy side of the commission’s work. But the same officials said the commission would provide privacy guidance and rulings on social media services. Which side of the commission is that work, and who pays? I suspect the government has no real idea.

Then there are the timing concerns. I’ve pointed out some of the problems with establishing age-verification standards for the social media ban, which will take effect before the commission is operational. Once it is able to address the issue, Bill C-34 requires it to consult with the Privacy Commissioner, while Bill C-36 repeals that requirement, presumably on the grounds that privacy responsibility has shifted to the commission. But the commission can begin work on age verification before it has been transferred responsibility for privacy, meaning there could be no privacy review at all for a policy that affects tens of millions of Canadians.

In fact, the timing problem effectively extends to the entire privacy regulatory system. The new regime cannot come into force on its own schedule because the privacy statute is sequenced behind the part of the bill that establishes the new commission’s privacy mandate. Privacy reform has in effect been linked to the passage of an unrelated digital safety bill and to the construction of a super-regulator from scratch, with PIPEDA left to govern the private sector unchanged until the whole apparatus is ready and the switch is thrown in a single step. A standalone revamped privacy bill administered by the existing Privacy Commissioner could have been law and operational within roughly a year. The Bill C-36 approach means these rights and powers will take years to take effect: let’s say a year for the bill, another 18 months for the regulations to just establish the commission, and at least another two years for the commission to bring in the necessary expertise to take on the privacy responsibilities. Rather than getting a new privacy law in effect in 2027, a more likely scenario means waiting until 2030 or 2031 for an untested, inexperienced new regulator.

Given these uncertainties, I can’t join the chorus of support for Bill C-36. To be sure, there are clear, overdue substantive improvements but it ultimately feels like one step forward, two steps back. Having finally drafted a credible privacy law, the government leaves the provisions that decide what the law actually requires, the institution that will govern it, and the date on which any of it takes effect, for another day. It claimed that trust was the north star of its AI strategy, but the government has put forward a plan that may undermine public trust in privacy regulation as Canadians wait years for it to come to fruition.