Canada’s Digital Super-Regulator: Bill C-36 Pushes Out the Privacy Commissioner and Hands Private Sector Privacy to an Overloaded Commission
A stunning abrogation of good policy development and a poorly conceived vision of the breadth and importance of privacy.
In the last act of an incredibly intense digital policy stretch, the government today tabled new private sector privacy legislation in the form of Bill C-36, the Protecting Privacy and Consumer Data Act. It is a big bill, and my initial take will be divided into two: this post will focus on the seismic shift the bill creates for privacy administration and enforcement, and a second post (hopefully tomorrow) will discuss the substantive changes and additions. I start with the enforcement side because the most consequential feature of C-36 is the question of who will administer the rules. The bill firmly cements the Digital Safety Commission as a new digital super-regulator in Canada, stripping the Privacy Commissioner of authority over private sector privacy law and handing it instead to the same five-member commission the government created a few days ago to police online harms. I believe the approach is unprecedented among peer countries and will have negative repercussions for Canada’s standing in the privacy world. Indeed, removing an Agent of Parliament from private-sector privacy enforcement after decades isn’t something you tuck into a lengthy bill, but rather requires extended public consultation and analysis on how best to ensure Canada has effective privacy enforcement. This is a stunning abrogation of good policy development and a poorly conceived vision of the breadth and importance of privacy.
Bill C-36 really starts with Bill C-34 introduced less than a week ago. As I’ve written, it created the Digital Safety Commission of Canada, which already had an enormous mandate that included administering the social media ban, setting age-verification requirements and age-appropriate design standards, and policing several categories of harmful content. That name lasted only days, however, as Bill C-36 renames it the Digital Safety and Data Protection Commission of Canada, adding private sector privacy enforcement to its list of powers. A single commission of five Governor in Council appointees will now be responsible both for regulating online speech and content moderation across the country’s largest platforms (including standard setting, guidelines, audits, formal, law-enforcement-style investigations, hearings, and adjudicative powers) and for overseeing how every organization in Canada collects, uses, and discloses personal information.
The shift in privacy responsibility leads to two things. First, there will be a new Privacy and Consumer Data Commissioner designated by Cabinet from among the commission’s members, and a Privacy and Consumer Data Division, led by that Commissioner and at least one other member. It will serve as the enforcement tribunal, imposing penalties and reviewing decisions. Second, the Privacy Commissioner of Canada will no longer be responsible for private-sector privacy, with its mandate narrowed to the Privacy Act. For that office, it is 1998 all over again.
The government’s track record on privacy is not good and the consolidation seems to reflect a shift in how the government conceives of privacy itself, treating it less as an economy-wide information and consumer-protection regime and more as another branch of digital policy to be managed alongside platforms, content, and AI. Canada’s private-sector privacy law has always extended well beyond the digital sector, governing how banks, airlines, insurers, and retailers handle personal information in contexts unrelated to social media or chatbots. It has therefore been administered by an independent watchdog and led by the Industry portfolio: John Manley introduced the very first bill in 1998, Navdeep Bains introduced Bill C-11 to amend it as Minister of Innovation, Science and Industry, and François-Philippe Champagne led Bill C-27 from the same position. Bill C-36 is the Minister of Artificial Intelligence and Digital Innovation’s bill, the clearest possible signal that privacy is now understood as an adjunct of the AI and digital file rather than as a distinct right with its own institutional home.
Bill C-36 does not abolish the Office of the Privacy Commissioner, which, as noted, continues to exist and administer the public-sector Privacy Act. What the bill does is remove the Commissioner’s jurisdiction over the private sector entirely, eventually repealing the part of PIPEDA that has been the source of that authority since 2000 and reassigning every private sector function, from complaints and investigations to audits, codes of practice, and penalties, to the new commission. The Privacy Commissioner of Canada, an Agent of Parliament confirmed by resolution of both the Senate and the House and reporting directly to Parliament, is replaced as the private-sector regulator by a Cabinet-designated member of a commission whose chair and majority are occupied by members focused on online content enforcement. This is a serious downgrade in independence since an Agent of Parliament occupies a constitutional position designed to hold government itself to account, with a direct line to the legislature rather than to the minister.
As far as I can tell, none of Canada’s democratic peers assigns private sector privacy enforcement to a body that also polices online harms. The near-universal model is a dedicated, independent data protection authority kept structurally separate from the online safety regulator. In the European Union, the GDPR requires every member state to maintain an independent supervisory authority for data protection, an independence requirement rooted in the EU Charter itself, while online content and harms under the Digital Services Act are assigned to a separate Digital Services Coordinator in each country. The United Kingdom keeps data protection with the Information Commissioner’s Office and online safety with Ofcom, two distinct institutions that coordinate through joint statements on areas of overlap such as age assurance. Australia does the same, splitting privacy oversight at the Office of the Australian Information Commissioner from online safety at the eSafety Commissioner, the two regulators having signed a memorandum of understanding in April 2026 to coordinate on precisely the age-assurance and platform-safety questions that C-36 would house inside a single body.
The implications of the change will have a direct effect on Bill C-34 and the inclusion of privacy protection for age verification. For example, I’ve written that Bill C-34 requires the Commission to consult with the Privacy Commissioner of Canada when developing age-verification technologies. If responsibility for privacy rests with the Commission, why have that provision? It turns out, the government plans to repeal that consultation altogether once this takes effect. The changes in other areas are less certain: how does this work with provincial privacy commissioners and provincial laws which share responsibility for privacy? Does this impact Canada’s adequacy finding with the EU, which requires an independent data protection authority?
Bill C-36 hands the entire private-sector privacy file to a Cabinet-appointed content-and-data commission while effectively removing the only independent federal privacy watchdog Canadians have ever had from the room. There will rightly be much debate about the substantive changes and whether they meet the moment (more about them soon). But this change to privacy enforcement in Canada will be bigger than any of the substantive reforms, as it marks the end of the globally-respected Privacy Commissioner of Canada on private sector privacy law and the arrival of a super-regulator with astonishing powers that may be unmatched anywhere in the democratic world.
Post originally appeared at https://www.michaelgeist.ca/2026/06/canadas-digital-super-regulator-bill-c-36-pushes-out-the-privacy-commissioner-and-hands-private-sector-privacy-to-an-overloaded-commission/
Find me on:
Are we getting the picture yet? A Chinese style fire wall. These are not mistakes they are deliberate. They don’t want us to have any privacy.