Canada’s Regulatory Overhaul: The Protecting Privacy and Consumer Data Act Sparks Debate Over "Super-Regulator" Powers

In a landmark legislative move, the Canadian government has introduced the Protecting Privacy and Consumer Data Act (Bill C-36), a comprehensive framework designed to modernize the regulation of personal information within the private sector. By enshrining privacy as a fundamental right and mandating heightened transparency for digital businesses, the bill represents the most significant shift in Canadian data law in decades. However, the legislation has ignited a fierce national debate, centered primarily on the government’s decision to shift enforcement authority from the traditional Privacy Commissioner to a newly expanded Digital Safety Commission—a move critics are calling the creation of a "digital super-regulator."

The Core Provisions of Bill C-36

Bill C-36 seeks to modernize how commercial entities handle the vast troves of personal data collected in the digital age. The legislation pivots on the principle of "valid consent," requiring companies to move beyond opaque terms-of-service agreements. Under the proposed act:

• Plain Language Mandates: Companies are legally required to disclose the purposes and consequences of data collection in clear, accessible language.
• Transparency Requirements: Businesses must explicitly notify consumers about the categories of information being harvested and whether that data is shared with or accessible to third-party entities.
• The Right to Erasure: Empowering the individual, the bill formalizes the right for consumers to request the permanent deletion of their personal information from corporate databases.
• Accountability Frameworks: Companies will be required to maintain and submit comprehensive privacy management programs upon request by the regulatory body.

By codifying these requirements, the federal government aims to foster a "trust-based" digital economy, aligning Canada with international standards like the European Union’s GDPR, while simultaneously advancing the country’s broader National AI Strategy.

Chronology of Legislative Action

The introduction of Bill C-36 does not exist in a vacuum; it is part of a rapid, aggressive sequence of digital policy maneuvers by the current administration:

• June 4, 2026: Prime Minister Mark Carney officially launches the National Artificial Intelligence Strategy, emphasizing the need for increased AI literacy and the establishment of foundational AI infrastructure to ensure Canada remains competitive on the global stage.
• June 10, 2026: The government tables Bill C-34 (The Digital Safety Act). This bill focused on protecting minors from addictive social media algorithms and harmful content, though it immediately faced backlash over its proposed age-verification requirements, which critics labeled "highly invasive."
• June 15, 2026: Privacy Commissioner Philippe Dufresne issues a formal statement welcoming the privacy-centric goals of the new legislative agenda while expressing the need for a rigorous assessment of the proposed enforcement shifts.
• June 22, 2026: Bill C-36 is formally introduced, sparking immediate concern from civil liberties advocates and legal scholars regarding the centralization of regulatory power.

The Shift in Enforcement: A "Super-Regulator"

Perhaps the most contentious aspect of Bill C-36 is the structural realignment of enforcement. Currently, the federal Privacy Act grants the Office of the Privacy Commissioner (OPC) oversight of both public and private sector privacy issues. Under the new bill, the enforcement of private-sector privacy would be transferred to the Digital Safety Commission.

This commission, already tasked with policing online harms, would now hold the mandate to initiate investigations, oversee complaints, and demand privacy management programs from corporations. If passed, the current Privacy Commissioner’s mandate would be effectively hollowed out, restricted solely to federal government agencies.

Expert Analysis and Critical Implications

The proposal to consolidate these powers has been met with skepticism by experts, most notably Professor Michael Geist of the University of Ottawa. In his critique, Geist argues that the bill creates a "digital super-regulator" that lacks the institutional safeguards typical of Canadian law.

Procedural Concerns

Geist highlights several "red flags" regarding the commission’s operational structure:

1. Secret Hearings: Unlike traditional courts or the current OPC oversight, the commission has the authority to conduct proceedings behind closed doors, limiting public and judicial scrutiny.
2. Weak Rules of Evidence: The commission is not bound by standard rules of evidence, raising questions about the fairness of its investigative processes.
3. Governance Risks: Decisions can be made by a single appointee. Given that these appointees are selected by the federal Cabinet, critics fear a lack of independence and an increased susceptibility to political pressure.

In contrast, the current Privacy Act provides a system of checks and balances that mandates consultation with party leaders in both the Senate and the House of Commons, requiring broad parliamentary consensus for major regulatory appointments. The move toward the commission model is seen by some as a bypass of these democratic safeguards.

Official Responses and Government Intent

Evan Solomon, the Minister of Artificial Intelligence and Digital Innovation, has defended the legislation as an essential pillar of Canada’s future. In a recent statement, Solomon noted that the bill is designed to "build trust in new technologies" at a time when AI integration is accelerating across the private sector. The government maintains that a specialized commission is better equipped to handle the high-speed, complex technical nature of modern data and AI policing than the current, traditional model.

Privacy Commissioner Philippe Dufresne has maintained a cautious but diplomatic stance. In his assessment, he acknowledged that the bill would indeed enhance privacy protections for Canadians, particularly regarding the safety of children online. However, he stopped short of a full endorsement, noting that he would perform a thorough analysis of the transfer of powers before providing formal recommendations to Parliament.

The Shadow of Bill C-34

The reception of Bill C-36 is heavily influenced by the negative fallout from Bill C-34, the Digital Safety Act. Because the government is proposing that the same commission—the Digital Safety Commission—oversee both privacy and content moderation (such as the regulation of AI chatbots and social media algorithms), critics fear the commission is becoming too powerful.

The Canadian Civil Liberties Association (CCLA) has already warned that the powers granted to the commission under C-34 are "uncertain" and pose significant risks to freedom of expression. When C-36 was introduced to shift private-sector privacy to that same body, those fears were amplified. The concern is that by combining privacy enforcement with content-policing, the government is creating a body that has the power to define what is "safe" online, effectively acting as an arbiter of both data and speech.

Future Outlook: The Path Ahead

As Bill C-36 moves through the parliamentary process, it faces a turbulent road. The government argues that the digital landscape is too complex for the current regulatory framework and that a consolidated, tech-focused commission is the only way to hold multinational tech giants accountable.

However, the opposition and legal community remain focused on the potential for government overreach. The primary challenge for the bill’s supporters will be to prove that the commission can operate with the same transparency and independence as the Office of the Privacy Commissioner. If the government fails to address concerns regarding secret hearings, lack of evidence-based rules, and the risk of political influence, Bill C-36 may face significant amendments or public resistance.

Ultimately, Canada stands at a crossroads. The country is attempting to define the parameters of a "digital democracy," but in its rush to regulate, it faces the risk of trading one set of privacy issues for another—the challenge of an unchecked, centralized regulatory authority. Whether this "super-regulator" becomes a bastion of digital safety or a tool for institutional overreach will depend on the parliamentary debates to come in the autumn session.