Gowling’s Antoine Guilmain dissects the proposed Protecting Privacy and Consumer Data Act
The federal government’s latest privacy bill, tabled on June 15, 2026, builds on earlier efforts, with a few surprise additions, according to one expert in the field.
Antoine Guilmain is a Montreal-based partner at Gowling WLG and the co-leader of its national cybersecurity and data protection group. And when he looks at Bill C-36, the Protecting Privacy and Consumer Data Act, he’s left with a mixed impression.
“I would say I’m surprised and not surprised.”
In large part, he says the bill draws a direct line back to the earlier Bill C-27 privacy reform and especially its Consumer Privacy Protection Act section, which was created to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). That bill never got past second reading.
“I would say that most of the substance is similar, but when I say I am surprised, it’s essentially when it comes to the commissioner. The Office of the Privacy Commissioner would no longer be responsible for this new act. That came as a surprise for all of the community. That’s why I’m a bit on the fence in terms of my reactions.”
What does Bill C-36 mean for the Privacy Commissioner?
Currently, the OPC has jurisdiction over both the private and the public sectors. It’s a privacy model adopted by many provinces, says Guilmain. That would change if the new bill were passed. As currently written, s. 85 requires that the Governor in Council designate a commissioner to oversee a newly created Privacy and Consumer Data Division (s. 89).
“Bill C-36 creates what I would call a super regulator, with a lot of different coverage areas, including digital safety, including privacy, and it’s much closer to the government in the end. In that sense, I think it’s unique. I’m not aware of any other model like this in the rest of the world,” says Guilmain.
He adds that over the past 25 years, the OPC has built up expertise – as well as a well-respected reputation here in Canada and around the world – and developing similar experience and knowledge within a new commission will take time and effort.
“This bill is going to essentially create something new, as opposed to leveraging an existing body.”
The bill backs the regime with real financial teeth. The maximum administrative penalty for all contraventions in a single investigation is the greater of $10 million or 3 percent of an organization’s gross global revenue (s. 114). The most serious offences – knowingly failing to report a breach, or obstructing the commissioner, for example – carry a separate, higher ceiling: a fine of up to the greater of $25 million or 5 percent of gross global revenue on indictment (s. 145).
It also follows the same model as the recently introduced Bill C-34, the Safe Social Media Act, which establishes a new commission to protect children as they engage with online services.
Borrowing a questionable model from Quebec's Law 25
Besides building on the bones of Bill C-27, Guilmain says there is another key piece of legislation being used as a reference point for this bill: Quebec’s Law 25 (formerly known as Bill-64), which came into full force in 2024.
“The problem I’m facing is I don’t think we can say Quebec’s Law 25 is a good law. Many organizations are not that comfortable with this bill. It didn’t change much in Quebec, so I was a bit surprised to see that this law was used as an example.”
One of the challenges that comes with Law 25 involves data transfer outside of Canada. Under Quebec law, the organization that holds the data is obligated to investigate whether the international regime to which the information is being transferred meets appropriate data safety and privacy standards. Bill C-36 copies Quebec’s process.
“It takes a lot of time and resources, as opposed to in Europe, where the European Commission gives you a list of valid jurisdictions with adequate provisions. There is no such thing in Canada, so you end up in a situation where you are asking your organization to assess whether it’s fine or not, and I think this model is not working in Quebec, yet we decided to have a similar regime at the federal level,” explains Guilmain.
New safeguards for minors and biometric data
Other new elements in Bill C-36 haven’t yet been incorporated into existing Canadian privacy legislation. One of these is the explicit inclusion of minors in the bill's language. Guilmain says that under the proposed legislation, information about those under 18 years old is treated as sensitive by default and, as such, requires safeguards.
Another new mention involves biometrics, which is included in the list of sensitive types of personal information. As Guilmain notes, there is only a single mention in the entire bill of the identifying biological measurements or physical characteristics, but “it’s extremely important, as biometrics are being used in our society more and more, and this is really something that was top of mind for all the regulators for the past five years.”
A missed chance to rein in nuisance data requests
The flip side of additions is omissions, and Guilmain points out one glaring omission from his perspective: the failure to address the problem of organizations being harassed by nuisance requests for personal information. He says that in this era of generative AI, individuals with grievances can easily fire off hundreds of requests, and each of those must be addressed. European law would treat these as nuisance matters, but Canadian law provides no safeguards to prevent such interactions.
“In my practice, in the last two or three years, I’ve seen a spike in terms of access requests that is unprecedented,” he says. “At the end of the day, it’s the collectivity that will be paying. Privacy rights need to be used in a fair way by everybody, including individuals.”
While Guilmain says that overall, this bill seems to grant people more control over their data and increased privacy protections, the law can only do so much. People need to be aware not just of their rights but also of the demands of technology. They need to check privacy settings. They need to decide what they are comfortable with – and comfortable sharing.
“The law is not the response to all our problems. There’s also a societal aspect in the way we use technology.”
