As the Canadian federal government signals its intention to reintroduce privacy reform legislation, this is a timely opportunity to revisit the status of Bill C-27 when it stalled earlier this year and unpack the bill's implications for upcoming legislative efforts.

Where we left off

On January 6, 2025, the prorogation of Parliament halted the legislative progress of all bills on the Order Paper. With prorogation, the detailed clause-by-clause review of Bill C-27 underway in the Standing Committee on Industry and Technology (INDU) also came to a close.

Bill C-27 represented an ambitious overhaul of Canada's digital governance regime by bundling three distinct legislative initiatives:

  • Consumer Privacy Protection Act (CPPA): A comprehensive update intended to replace Part I of the Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Personal Information and Data Protection Tribunal Act (PIDPTA): This proposed the creation of an independent tribunal empowered to hear appeals and impose administrative penalties under the CPPA.
  • Artificial Intelligence and Data Act (AIDA): Canada's first legislative attempt to regulate both high-impact and general-purpose AI systems.

While the integrated approach reflected an understanding of the interconnected nature of data privacy and AI, the bundling introduced significant procedural and political hurdles, complicating consensus-building and legislative momentum.

Signals from committee

The clause-by-clause review of Bill C-27 beginning in April 2024 illuminated several cross-party policy priorities and fault lines:

  • Strengthening privacy protections: Opposition parties championed amendments to enshrine privacy as a fundamental right explicitly within the CPPA preamble.
  • Refined definitions and scope: Amendments proposed precise definitions for "personal information," "minor," "anonymize," "profiling," "sensitive information," and "significant impact," seeking enhanced clarity in a complex legislative scheme.
  • Enforcement and institutional architecture: The proposed Personal Information and Data Protection Tribunal emerged a divisive issue. Opposition parties raised concerns that the Tribunal could delay enforcement and weaken the authority of the Office of the Privacy Commissioner of Canada, sparking extensive debate. This impasse underscored fundamental disagreements over how best to balance enforcement with procedural efficiency.
  • Consideration of bill separation: The complexity of addressing privacy and AI within a single bill led to discussions about decoupling the two, permitting privacy reforms to advance independently of AI regulation. However, no consensus was achieved before prorogation.

These committee dynamics underscored intense scrutiny of Bill C-27, reflecting the need for substantive policy refinement in critical areas.

What this means going forward

While Bill C-27's demise leaves many questions open, Parliament's work provides a clear roadmap for the next iteration of privacy legislation:

  • Privacy reform as a continuing priority: Strengthening individual rights, ensuring precise definitions of critical concepts, and enhancing enforcement mechanisms are likely to remain priorities.
  • Decoupling AI regulation: There was a pervasive sense that bundling AI regulation with privacy reform in Bill C-27 hindered progress. Moving forward, AI regulation will be considered separately, allowing more focused debate and tailored frameworks for AI and privacy.
  • Institutional framework debate: The potential role of a Tribunal may remain an issue. Future legislation will likely seek to balance administrative efficiency and enforcement mechanisms.
  • Stakeholder engagement: Given the contentiousness and complexity of Bill C-27, along with its slow journey through the legislative process, broad stakeholder engagement and transparent consultation will be essential to building durable consensus.

Stay informed

The legislative landscape remains dynamic. We continue to monitor developments as new information emerges. For tailored guidance on how these changes might impact your organization, please contact a member of our Cyber Security and Data Protection team.

For a comprehensive summary of Bill C-27's journey through Parliament, see our Bill C-27: Timeline of developments.