Canadian privacy laws: new rules for a new era

More than 20 years after PIPEDA, Canadian privacy laws are entering a bold new era. Is your organization ready?

Following in the uncompromising spirit of Europe's General Data Protection Regulation (GDPR), Canadian jurisdictions are looking to modernize - and give real teeth to - the way consumer data and personal information are protected in the digital era. Indeed, a slate of new and proposed legislation is shaping public discourse around privacy in Canada, while promising to change the playing field for public and private organizations from coast to coast. 

240923-privacy-topic-overview

Digital Charter Implementation Act (Bill C-27)

In June 2022, the Government of Canada introduced Bill C-27, the Digital Charter Implementation Act 2022. Targeting the private sector, the Bill proposes to expand the powers of the Privacy Commissioner of Canada, increase monetary penalties for serious violations, establish a new administrative tribunal, and introduce new rules regulating artificial intelligence (AI) systems.


Bill C-27 passed second reading in the House of Commons on April 24, 2023.

Protecting Canada's critical infrastructure (Bill C-26)

Bill C-26,An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, proposes two important measures:

  • Amending portions of the federal Telecommunications Act to authorize the government to impose obligations on telecommunications service providers to "secure the Canadian telecommunications system" and;
  • Implementing the Critical Cyber Systems Protection Act (CCSPA), which would empower the government to designate services or systems as vital and to impose data protection obligations on their operators, require mandatory reporting of cyber security incidents, and facilitate threat information exchange "between relevant parties."

Bill C-26 had its second reading in Parliament on Dec. 1 2022.


Québec's Law 25

A forerunner to the type of reform being contemplated at the federal level, Quebec's Law 25 (aka Bill 64), An Act to modernize legislative provisions as regards the protection of personal information, represents the most significant privacy legislation development in Canada in many years. It puts into force sweeping changes regulating the collection, use, and communication of personal information, and significantly increases penalties for non-compliance.

Modernizing privacy in Ontario

In June 2021, Ontario's Ministry of Government and Consumer Services published a white paper titled White paper - Modernizing Privacy in Ontario and invited feedback from public and private stakeholders. Part of Ontario's Digital and Data Strategy, the white paper proposes a provincial privacy framework designed to remedy what it alleges are fundamental flaws in Federal Bill C-11 (a precursor to C-27 that died on the order paper in 2021).


It remains to be seen whether Ontario will still elect to pursue its own legislative path, or if Bill C-27 can go further in satisfying the province's privacy agenda.

Legislative development in British Columbia

On April 13, 2021, the Legislative Assembly of British Columbia agreed that a Special Committee be appointed to review the Personal Information Protection Act (S.B.C. 2003, c. 63) pursuant to section 59 of that Act.


The Special Committee presented its report to the Legislative Assembly on December 6, 2021. The Report made 34 recommendations for significant changes to PIPA, concluding that: "PIPA must be modernized to safeguard rights for individuals and provide up-to-date provisions to ensure competitiveness for British Columbia's businesses."


With respect to the public sphere, amendments to BC's Freedom of Information and Protection of Privacy Act (FIPPA) were passed into law under Bill 22 on November 25, 2021. While the majority of Bill 22's provisions came into force immediately, several additional provisions came into force more recently, on February 1, 2023. The updated legislation requires public bodies to have in place a privacy management program and to comply with new privacy breach notification obligations.

Get prepared

Do your organization's privacy policies and protocols comply with existing laws? Will they satisfy the requirements of future legislation?

Let us help you stay one step ahead in this evolving landscape. Explore our resources, or contact a member of our team below to begin a conversation.

Cyber security and data protection

Our team of cyber security and data protection lawyers takes a pro-active approach to safeguarding your world.

Learn more
Canadian-privacy-laws-cyber-security-data-protection-crop