If you have spent any time treating PIPEDA as a soft law, Bill C-36 is your notice that the era of polite recommendations is ending. The bill, introduced at First Reading in June, brings in the 'Protecting Privacy and Consumer Data Act' and repeals the privacy portion of PIPEDA. I want to stress up front that this is a draft bill, so it can and will change, and it can be delayed. But the trajectory is clear enough that waiting for it to become law before preparing is a poor bet.
Here is what changes from the regime you know today.
Enforcement stops being a gentle suggestion. Under PIPEDA, the Privacy Commissioner could investigate and make findings, but the real consequences were reputational. C-36 introduces administrative monetary penalties with a ceiling of (the greater of) $10m or 3% of global revenue. It also creates a private right of action, so once a contravention has been established by the regulator or the courts, affected individuals can pursue damages directly. This is the GDPR playbook, and it lands squarely in Canada. If nothing else in this article moves you, that should.
A privacy management program becomes mandatory. PIPEDA expected you to be accountable in a general sense. C-36 requires a documented privacy management program as a standing obligation, not a nice-to-have you assemble when a regulator or the commissioner comes knocking. For most software companies I work with, the program exists in fragments across a few people's heads and a Confluence site (if we're lucky). That will no longer be enough.
Cross-border transfers get a paper trail. Where PIPEDA leaned on accountability for transfers to service providers, C-36 builds in a requirement to assess cross-border transfers formally. If your stack runs through US 'big-tech', sub-processors in multiple jurisdictions, or offshore development teams, you will need to demonstrate you have actually thought it through. The assessment is the artifact a regulator will ask for.
Automated decisions come with explanation rights. This is the genuinely new ground. C-36 gives individuals the right to an explanation of automated decision systems and, in defined circumstances, a right to human review. If you are building anything that scores, ranks, or decides about people without a human in the loop, this provision is aimed directly at you. PIPEDA had nothing comparable.
So how does this sit against GDPR? Closer than PIPEDA ever did. The penalty structure, the management program, the transfer discipline, and the automated decision rights all echo the European framework. The core difference is that C-36 keeps a distinctly Canadian shape around identifiability, treating de-identified data as still in scope while anonymized data sits outside the Act entirely. That distinction matters enormously for how you handle data in practice, and it is one of the areas where I see the most confusion coming.
Why act now on a bill that has not passed? Because the work that C-36 demands, documenting your programme, mapping your transfers, understanding your automated systems, is work you should be doing already, particularly if you have global sights. None of it is wasted effort if the bill changes. All of it is painful to do under deadline if you wait. Building a right-sized programme takes months, not weeks, and starting from a position of readiness is far cheaper than starting from a position of panic.
If you want to walk your executive team or your board through what C-36 means for your specific operations, or you would like help getting a proportionate privacy programme in place before this lands, I am happy to come in and talk it through. You can reach me at rossgsaunders.com.