This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
If you've already got a working answer to which Canadian privacy law applies to your AI tools today, the next question is whether that answer is about to change. A new bill is now in front of Parliament that would eventually replace the federal law your business currently follows.
In short: Bill C-36, which would enact the Protecting Privacy and Consumer Data Act (PPCDA) and replace PIPEDA, received first reading in the House of Commons on 15 June 2026. Unlike its predecessor Bill C-27, which bundled privacy reform together with the now-dead AI and Data Act, Bill C-36 deliberately does not include standalone AI regulation. It is at a very early legislative stage, Parliament resumes in September 2026 with second reading expected in the fall, and nothing in it is in force. PIPEDA remains the current, binding federal law today.
Why this bill exists, and why it looks different from the last attempt
Canada's last serious attempt at federal privacy reform, Bill C-27, died on the order paper in January 2025 when Parliament was prorogued, and was never reintroduced after the following election. That bill had bundled two very different things together: an overhaul of federal private-sector privacy law and a brand-new AI-specific statute, the Artificial Intelligence and Data Act (AIDA). Bill C-36 takes a visibly different approach: it is solely focused on privacy reform, and the government's own AI strategy signals it intends to address AI governance through privacy law, policy, and investment rather than a separate AI-specific act.
What Bill C-36 actually proposes
The bill would replace PIPEDA with a new statute, the Protecting Privacy and Consumer Data Act, and shift federal private-sector privacy oversight from the Privacy Commissioner's current office to a new Digital Safety and Data Protection Commission of Canada. It proposes broader exceptions to the existing consent-based model, including specific provisions addressing the use of publicly accessible information to train AI models, an area where the current PIPEDA framework is widely seen as unclear. It would also introduce meaningful financial consequences for non-compliance, administrative monetary penalties running into the millions of dollars for serious breaches.
What this means for a business using AI on client data today
An operations manager at a 25-person Canadian professional-services firm using AI tools on client data doesn't need to change anything today. Bill C-36 is at first reading only, the earliest stage a bill can be at, and Parliament rose for its summer recess before even reaching second reading. A realistic timeline for this kind of reform, based on how long similar bills have historically taken, is 12 to 24 months from first reading at minimum, and Bill C-27 shows that a bill at this stage can also simply not survive to become law at all.
The practical takeaway right now is to keep following PIPEDA, the OPC's existing guidance, and any applicable provincial law such as Quebec's Law 25, exactly as before. Treat Bill C-36 as a bill worth watching, not a new obligation to act on.
The one provision worth watching closely
The bill's broader consent exceptions for training AI models on publicly accessible information are the provision most directly relevant to a business using or building AI tools. If this passes largely as introduced, it could meaningfully change what's permitted when training or fine-tuning a model on scraped or publicly available data under federal law. That's a real reason to keep an eye on this bill's progress specifically, even while there's nothing to act on yet.
The new regulator being proposed
Alongside the substantive privacy changes, Bill C-36 proposes moving private-sector enforcement away from the current Office of the Privacy Commissioner of Canada to a newly created body, the Digital Safety and Data Protection Commission of Canada. If this passes as introduced, it would represent a genuine institutional change, not just a rewording of existing rules, and could eventually change who a business actually deals with for a complaint or an enforcement matter.
For now, the OPC remains the relevant federal privacy regulator, and any current guidance or enforcement activity should be treated as coming from the OPC, not from a commission that doesn't yet exist.
What you can do about it
Three practical steps: keep complying with PIPEDA and any applicable provincial law exactly as you do today, since nothing about Bill C-36 changes current obligations; note the bill's progress at second reading in the fall as a checkpoint worth watching rather than something requiring immediate action; and if your business trains or fine-tunes AI models on publicly available data, flag the consent-exception provision specifically as one to revisit once the bill's text firms up.
This is general information about a proposed bill, not legal advice on a specific compliance position. Confirm your current obligations with the Office of the Privacy Commissioner of Canada or a qualified adviser, and don't treat a bill at first reading as settled law.
FAQ
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Is Bill C-36 law yet?
No. It received first reading on 15 June 2026, the earliest stage in the legislative process. It has not passed second reading, committee review, third reading, or Senate approval. PIPEDA remains the current, binding federal privacy law.
Does Bill C-36 regulate AI the way the old AIDA proposal would have?
No. Bill C-36 is deliberately focused on privacy reform only. It does not include a standalone AI-specific statute like AIDA, which died along with the rest of Bill C-27 in January 2025.
Could Bill C-36 fail the same way Bill C-27 did?
Yes, that's a realistic possibility. A bill at first reading can be amended significantly, delayed, or fail to pass entirely, as happened with the previous federal privacy reform attempt. Treat it as a proposal to watch, not settled law.
What should a business actually do right now while this bill is pending?
Continue complying with PIPEDA and any applicable provincial privacy law exactly as before. There is no new obligation created by a bill that hasn't passed, and acting on draft provisions that may still change is not a reliable compliance strategy.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Want to understand what actually binds your business today, before this bill goes any further? Start with PIPEDA's current federal requirements.
Read the PIPEDA Guide