Canada Canada AIDA artificial intelligence data act

Canada's Bill C-36 Trades AIDA's Broad AI Rulebook for a Narrower Privacy-Law Disclosure Trigger

Bill C-36 replaces PIPEDA with GDPR-style automated-decision disclosure and confirms Canada will not revive standalone AI legislation.

Bill C-36 By the Numbers People of Internet Research · Canada 3% revenue Max administrative penalty Or $10M, whichever is greater, und… 5% revenue Max criminal fine Or $25M, whichever is greater, for… 60% AI adoption target, 2034 Up from roughly 12% today, under C… 25 yrs Age of law being replaced PIPEDA has governed private-sector… peopleofinternet.com
Bill C-36 By the Numbers People of Internet Research · Canada 3% revenue Max administrative p… 5% revenue Max criminal fine 60% AI adoption target, 2034 25 yrs Age of law being replaced peopleofinternet.com

Key Takeaways

Canada has settled a three-year argument about how to regulate algorithmic decision-making, and the answer is: through privacy law, not a standalone AI statute. On June 15, 2026, the government tabled Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), which repeals Part 1 of the 25-year-old Personal Information Protection and Electronic Documents Act (PIPEDA) and replaces it wholesale. Buried in the bill's transparency provisions is the real policy signal: organizations must explain an automated decision only when it "could have a legal or similarly significant effect" on the individual (Section 63(4)) — the same threshold the EU's GDPR has used since 2018. The broader Artificial Intelligence and Data Act (AIDA), which died on the order paper in January 2025 after three years stuck inside the omnibus Bill C-27, stays dead. Prime Minister Mark Carney's national strategy, AI for All, launched June 4, pairs a $200-billion growth target and a push to lift AI adoption from roughly 12% to 60% by 2034 with new legislation aimed at specific harms — deepfakes, surveillance pricing — rather than a horizontal AI rulebook.

What Actually Changed

PIPEDA's principles-based, complaint-driven model gives way to a genuinely punitive regime. The bill creates a new Digital Safety and Data Protection Commission of Canada, replacing the Office of the Privacy Commissioner (OPC) as private-sector regulator, with power to issue administrative monetary penalties up to the greater of $10 million or 3% of global revenue, and criminal fines up to the greater of $25 million or 5% of global revenue for the most serious offences. Privacy Commissioner Philippe Dufresne welcomed the bill, saying he was "pleased to see many of my recommendations reflected," citing privacy-as-fundamental-right language, mandatory privacy impact assessments, and stronger enforcement teeth. On automated decision-making specifically, C-36 requires a general public account of any automated decision system a company uses, and — where the legal-or-significant-effect bar is met — an individual can demand the type of personal data used, its source, the principal factors behind the outcome, and a chance to make representations to a human reviewer capable of revisiting the decision (Sections 63(5)-(6)).

The Case for AIDA-Style Coverage

Critics have a real argument, and it deserves a fair hearing before it gets rebutted. The Canadian Civil Liberties Association's Tamir Israel argues that C-36 "suffers from a marked absence of any effective protections against AI systems despite the well-documented harms this emerging suite of technologies is already causing," and that the transparency measure it does offer is "weakened by broad exceptions." The CCLA also flags a de-identification loophole that lets firms retain data indefinitely once it is only superficially anonymized. These are not manufactured objections. Algorithmic systems increasingly make or shape decisions — credit, hiring, insurance pricing, content moderation — that fall well below a bright-line "legal effect" threshold but still shape people's lives materially, and a narrow trigger will genuinely let some consequential automated processes escape any explanation duty at all. A regulator captured by industry-friendly drafting could exploit that gap for years before anyone notices.

Why the Narrower Trigger Is the Right Call Anyway

Even granting all of that, folding algorithmic accountability into privacy law with a GDPR-calibrated trigger is the more defensible design, for three reasons. First, AIDA's core defect was never that it regulated AI — it's that it tried to regulate all "high-impact" AI systems through a single, vaguely defined category, enforced by a commissioner housed inside the same ministry promoting AI adoption, with obligations that could attach before a company even knew if its product qualified. That ambiguity, more than any single provision, is why industry groups treated it as harder to comply with than the EU AI Act itself, and why it could not survive contact with a minority Parliament. Second, a legal-or-significant-effect standard is not a loophole invented for this bill — it is the operating definition regulators in Brussels, London, and (functionally) California have already spent years litigating and clarifying, which means Canadian companies operating across those markets get one compliance target instead of four incompatible ones. Third, the penalty structure that actually disciplines corporate behavior — up to 5% of global revenue — now attaches to privacy violations generally, including automated-decision failures that touch personal data, which covers the overwhelming majority of the harms critics cite. A single powerful regulator enforcing one coherent statute beats two regulators each enforcing a narrower one badly.

The CCLA is right that some algorithmic harms fall outside "legal or similarly significant effect," and Parliament's committee stage — Bill C-36 begins Second Reading when the House returns September 21, 2026 — is the venue to test whether that threshold needs tightening for specific high-risk categories like credit scoring or tenant screening. But abandoning AIDA's unbounded, ministry-adjacent model in favor of a bounded, judicially-tested standard embedded in an enforceable privacy statute is a more coherent and more enforceable outcome than the three years of drift that preceded it.

Sources & Citations

  1. Bill C-36, First Reading — Parliament of Canada
  2. Privacy Commissioner Statement on Bill C-36 — OPC
  3. PM Carney Launches AI for All Strategy — PMO
  4. CCLA Press Release on Bill C-36
  5. Parliament of Canada: Bill C-36 (First Reading)