The government’s recently tabled privacy reform bill would modernize many aspects of Canadian privacy law, including establishing privacy as a fundamental right in the purpose clause of the new law, creating a data mobility right for individuals that would enable them to move their data from one company to another, and giving businesses the potential to use approved codes of practice. These and many other changes will be subject to intense debate at committee, but the biggest challenge facing the bill is the long sequence of steps required for it to take effect. The government may claim that privacy is an urgent priority, and its recent national AI strategy, overseen by AI Minister Evan Solomon, declares trust to be its “north star”, yet a careful review of Bill C-36 confirms that the law will take years to take effect. This post and the accompanying infographic unpack the many steps built into the bill that, cumulatively, are likely to result in no substantive privacy reforms for Canadians until 2030 or later.

The first step has nothing to do with privacy at all. Bill C-36 does not bring its new regime into force on its own. Part 3 of the bill is the gate the rest must pass through, and the bill’s coming-into-force provision ties that gate to a separate statute: it provides that Part 3 comes into force only if Bill C-34, the online harms legislation, receives royal assent, and even then not before the new Commission is established under section 4 of the Digital Safety Commission of Canada Act. Every other part of the bill, and the new Act’s own provisions under its section 147, can take effect only once Part 3 is in force. Until Bill C-34 becomes law, C-36’s privacy reform has no trigger, which means Canada’s new privacy law cannot get out of the starting gate until the other bill does.

The second step creates the Digital Safety Commission, but only as a non-functioning regulator. Even after Bill C-34 passes, the Commission comes into existence only when section 4 of the Digital Safety Commission of Canada Act is proclaimed by order of the Governor in Council. There is no deadline or timeline for that step, which involves nothing more than declaring the Commission established. On the day it is proclaimed, the Commission will have no members, no chair, no staff, no rules, and no money.

The third step is the longest as it builds the Commission into a working regulator, initially only for online harms. Before the newly established Commission can do anything, the government must appoint its members and a chair, hire its staff, and make the regulations that fund it. Meanwhile, the Commission must adopt its own rules of practice and address its 31 separate regulation-making powers, each of which requires a consultation period. Department officials have acknowledged that this is likely to take 12 to 18 months. The bill itself contemplates an extended startup period, since section 23 of the Digital Safety Commission of Canada Act permits the Commission to operate with only the Chairperson in place until a Chair and at least two other members are in office.

The fourth step finally turns to privacy, though only on paper. Once the Commission exists, the government can issue a further order in council proclaiming Part 3 of Bill C-36, which renames it the Digital Safety and Data Protection Commission, fixes its membership at five, and adds private-sector privacy to its mandate. Part 3 sets up the cabinet-appointed Commission as the future home of privacy enforcement, but it does not yet displace anyone: the Privacy Commissioner of Canada, an Agent of Parliament, keeps that authority until the next step.

The fifth step switches on the new privacy law, but even that is not a single act. Bringing it into force involves two separate cabinet decisions. First, under section 147, the Protecting Privacy and Consumer Data Act takes effect only by order in council and only after Part 3 is already in force. Second, the repeal of PIPEDA’s private-sector rules, which sits in Part 2 of the bill, takes effect the same way, under the bill’s coming-into-force provision. It is at this point that the Privacy Commissioner of Canada is removed from private-sector enforcement: repealing PIPEDA ends the mandate it has held since 2000, and switching on the new law vests that authority in the cabinet-appointed Commission.

The sixth step puts someone in charge of the privacy law. The Commission’s privacy side is effectively a separate house from the online harms side. The Governor in Council must designate one of the Commission’s members, other than the Chairperson, as the Privacy and Consumer Data Commissioner under section 85, and the Commission must constitute a Privacy and Consumer Data Division under section 89, composed of that Commissioner and at least one other member. Only the Commissioner and the Division can administer and enforce the new law through complaints, inquiries, reviews, and penalties. Because they are creatures of the new statute, they cannot be put in place until the law is in force, so they necessarily come after it is switched on. The government can therefore declare the privacy law in force before there is anyone designated to enforce it.

The seventh step comes after the law is in force and operating, because several of the rights and powers the government promotes do nothing until further regulations are written. For example, the data mobility right in section 72 requires an organization to make an individual’s data portable only where both companies are subject to a data mobility framework, and those frameworks exist only once cabinet makes regulations under section 140 prescribing the safeguards, the technical standards for interoperability, and the firms they cover. The compliance certainty the bill offers business works the same way. Organizations can rely on an approved code of practice or certification program under sections 92 and 93 only once the Division has reviewed and approved it, and the criteria for that approval are themselves left to regulation under sections 92(3) and 93(2).

These steps will take years to complete. In the meantime, PIPEDA continues to govern and the Privacy Commissioner continues to oversee the private sector under a law the government itself calls outdated. The government could have brought a privacy bill into force through the existing regulator, with the new rules taking effect at once. It has instead placed its new rights and powers behind a Commission that does not yet exist, a rulebook that has not been written, a privacy office that has not been filled, and regulations it has not drafted. The government may call privacy an urgent priority, but the many steps make for a long privacy reform road ahead.