What 2026 may bring for Canada's federal privacy reform efforts

Efforts to pass Canada's federal private-sector privacy law modernization bill were derailed last year by the resignation of former Prime Minister Justin Trudeau and a snap general election afterward that threatened the existing government control by the Liberal Party, which first introduced reforms in 2022.

With the dust settled from the election and the Liberal Party still in power, observers following efforts to bring potential Personal Information Protection and Electronic Documents Act updates are eagerly anticipating what may come from the next round of negotiations and debates in the Parliament of Canada.

However, in the intervening months since winning the re-election, the Liberal-led government has yet to introduce comprehensive privacy bill in Parliament. However, there have been developments trickling out about what reintroduced comprehensive privacy reforms may contain.

What stakeholders are hearing, watching for

Privacy and legal observers in Canada are gearing up for a renewed debate in Parliament with an added push to pursue a data sovereignty agenda as outlined by Prime Minister Mark Carney in November 2025, led by the newly established Major Projects Office.

University of Ottawa Canada Research Chair in Information Law and Policy Teresa Scassa and nNovation Counsel Constantine Karbaliotis, AIGP, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP, told the IAPP they believe the government was planning to introduce privacy legislation late last year, however, it did not materialize.

"I've heard that a bill was ready to be reintroduced before Christmas, but I believe there was a suggestion it was held up due to data sovereignty concerns (in potential legislation)," Karbaliotis said. "That has been very much dominating the Canadian government in terms of issues lately."

While lawmakers have been tight-lipped, Scassa has heard rumblings about an expedited timeline for reintroduction.

"There have been public statements that it would be introduced before Parliament rises for the summer break," Scassa said. "More recently, the rumors have started to intensify to suggest that it might be introduced in the first quarter of this year."

The prior attempts at reform came under Bill C-27, the Digital Charter Implementation Act, an omnibus bill that contained three pieces of legislation: The Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.

The CPPA was widely viewed as housekeeping legislation to modernize PIPEDA, passed in 2000, to bring Canada's private sector data privacy in closer alignment with current global data protection frameworks.

The Tribunal Act would have established an administrative panel to review certain decisions made by the Office of the Privacy Commissioner of Canada, while AIDA represented Canada's first attempt to pass cross-sector law regulating AI.

As C-27 made its way through Parliament, a common complaint among some Parliamentarians, Canadian political observers and privacy stakeholders was that AIDA was overly broad and failed to articulate specific definitions of key AI terms, such as omitting a definition of a "high-impact" system within the bill.

Many believed C-27 had a better chance at passing prior to the election being called if AIDA had been severed from the broader package, but Parliament never took that procedural step.

When the European Commission renewed Canada's data adequacy in January 2024, Karbaliotis told the IAPP at the time it was a "fundamental mistake," because it greatly diminished lawmakers' urgency to modernize PIPEDA, despite the Commission stating directly in its decision that C-27 was a significant factor in the renewal and it would "closely monitor" future efforts to update PIPEDA.

Although privacy reform efforts have stalled at the federal level in Canada since 2020, first with Bill C-11, and later C-27, Scassa said a new bill will have the opportunity to patch holes in the non-AIDA portions the C-27 framework missed the first time around.

Along with dropping comprehensive AI provisions, Scassa said she supports eliminating the tribunal overseeing the OPC altogether as well, which was a major component of the C-27 package. She said current political chatter is that something resembling C-27's Tribunal Act could be re-introduced in some way, shape or form, however.

"There's really quite a lot that could be tweaked or changed," Scassa said in an email. "The privacy of children and youth has received much more attention domestically and internationally, and C-27 did not go as far as it could or should have in this respect. There was also some concern over how the government had framed legitimate interests as an exception to consent and not as a separate basis for processing data."

Along with data sovereignty provisions, Karbaliotis said he believes a new privacy bill will have increased risk assessment requirements for transferring data outside of Canada. He said such obligations could serve to codify some of Quebec's Law 25 transfer provisions on the federal level.

"One criticism of the privacy portion of C-27 was it did not explicitly require a privacy impact assessment," Karbaliotis said. "(Data sovereignty) I think will be viewed positively in the sense that one of the concerns that Europe has always had about (Canada) is onward data transfers, because if data is coming to Canada, then the question is what constraints are there on it from flowing elsewhere?"

OPC seeks new responsibilities when privacy bill introduced

In an emailed statement to the IAPP on potential reintroduction of a reform bill, Privacy Commissioner of Canada Philippe Dufresne said, because "more and personal data is being collected, used and shared" in modern digital life, there is an urgent need to reform Canada's privacy laws.

"Canada needs modernized privacy laws to reflect this modern world," Dufresne said.

In October 2025, Dufresne submitted testimony to the Senate Standing Committee on Legal and Constitutional Affairs on Bill S-209, which would implement age assurance requirements to restrict youth access to adult content websites, and discussed the need to update both PIPEDA and the public sector Privacy Act. 

He outlined seven key provisions that should be included in the next comprehensive privacy bill, including enforcement powers to issue binding orders, issue administrative monetary fines and conduct "proactive" audits, promoting a deidentification framework, and empowering citizens to control their personal data through right-to-deletion mechanisms. He asked committee members for similar provisions to be included in future Privacy Act reform measures, as well. 

"I have identified … my priority recommendations for modernizing our federal private-sector privacy law because they would strengthen key regulatory powers and address systemic issues that my Office has observed," Dufresne wrote to the committee. "My recommendations for stronger enforcement mechanisms would give me tangible and effective tools to promote compliance with PIPEDA and significantly enhance my Office's ability to protect Canadians and their fundamental right to privacy."

Additionally, the OPC sought specific language that offers enhanced privacy protections for children. Dufresne said he also wants proposed legislation to contain a requirement that his agency develops a code of practice for children's privacy.

"With respect to children's privacy, PIPEDA currently does not contain any special privacy protections for children who are particularly vulnerable to risks in the digital world," Dufresne wrote to senators. "Recognizing the best interests of the child in the law would require that young people's rights and well-being be primary considerations in any decisions or actions concerning them, while also encouraging organizations to build privacy for minors into products and services by design and discouraging harmful practices."

How Canada is addressing AI following rejection of AIDA

The Canadian government is planning to release its national AI Strategy sometime this year. So far, the effort has produced a report on a public consultation held throughout last October, in which 11,300 participants generated 64,600 responses to 26 questions focusing on eight key areas of AI policy, including adoption across industry and government, commercialization of AI, and fostering safe AI development. 

Scassa anticipates the AI Strategy to mostly focus on AI investment and supporting AI uses in the economy. She said specific issues such as consumer harms created through the use of AI-powered automated decision-making tools could potentially be addressed in a privacy bill. 

"Privacy law reform will have important implications for AI governance," Scassa said. "Although a general AI regulation bill is not likely, this does not mean that there is no AI regulation or AI governance (ongoing). There is already considerable activity on a sectoral basis to address emerging AI governance issues."

While AIDA's attachment to the rest of C-27 may have been the driving force behind its legislative demise, Karbaliotis said the deliberate approach Canada is taking to possibly pursue an overarching AI regulation down the line should not bog down its privacy law reform efforts. 

"All the things that apply in privacy will continue to apply to AI, after all it is just another technology," Karbaliotis said. "My view is that a robust privacy law is one of the most important elements of AI regulations because it sets a baseline."

Commissioner Dufresne appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics earlier this month to discuss the role his office, and data protection in general, plays in AI development and use. Dufresne discussed privacy by design and transparency as necessary pillars of framework, while noting Canada's privacy law's "must be able to meet this challenge, and to do so will require modernization."

"Organizations that use AI should be transparent about this use, and accountable for any AI-generated decisions about individuals, such as whether to grant someone a loan or a job," he told the committee. "As technologies continue to evolve rapidly, and become increasingly integrated into personal and professional lives, it is our collective role — of regulators and policy makers — to ensure that privacy is protected for current and future generations."