Skip to main content
June 18, 2026

Analysis of C-36 — Canada's New Proposed Data Privacy Law

Insights
Matthew da Mota, Research Director, National Security and Emerging Technology
And Emily Osborne, Research Associate

For the past couple months, The Canadian Shield Institute has been publishing weekly policy briefs as part of Foundations of Digital Sovereignty. The thesis of this project is that governance is the defining feature of sovereignty — especially in the digital realm.

In Chapter 4 of Foundations of Digital Sovereignty we took a close look at data governance, and as part of that work, we sketched out what a serious data protection law would look like. We identified five things in particular:

  • Egress tools
  • Knowledge about how their data is being collected and used
  • Meaningful opt-out rights
  • The ability to effectively use third-party software or tools
  • Rights to have their information deleted or rectified

So now, just a few weeks later, the federal government has introduced the Protecting Privacy and Consumer Data Act for debate in Parliament. So, how does the law stack up against what we published in Foundations of Digital Sovereignty?

Egress tools

In the context of the digital economy, egress tools are systems that allow somebody to pull their data out of one service provider, in a format that allows it to be transferred to another service provider.

This kind of tool is important for interoperability, and a key right for enabling consumer choice. The use of egress tools for preserving privacy is featured in the European Union’s General Data Protection Regulation (GDPR) — the most ambitious attempt at data regulation globally by a major jurisdiction.

In the context of Canada’s new privacy bill, Subsection 72(1) requires that service providers disclose what private information they have about the user to a designated third party upon request — if both organizations are subject to date mobility frameworks. We won’t actually know how this will work for a while, because the government hasn’t specified detail on those “data mobility frameworks” yet. After the law is passed, Cabinet can spell out the details in regulations later.

The details of egress tools will be a very important element for future regulations. But it’s also worth noting that this is a very complicated issue with current technology. When thinking about algorithmic or AI systems, actually determining if data has been removed once it has been put into training data for a model is extremely difficult — potentially even impossible.

Knowledge about how their data is being collected and used

Transparency is essential for data governance. If you don’t know how your personal information is being used, it’s difficult to meaningfully object to those uses.

Bill C-36  makes some significant strides on this.

Under Subsection 15 of the new law, user consent will only be valid if an organization makes information available to users about how it collects, uses and discloses personal information in plain language. “Plain language” is defined as language that an individual could reasonably be expected to understand.

Subsection 62 requires that an organization make readily available an explanation on how it fulfills its obligations under the Act. This includes disclosing what information is collected, how that information is used, and whether information is used by an automated decision-making system that may have a significant effect on an individual.

There is some degree of vagueness here that will be addressed by regulations. The purpose of leaving the details for follow-on regulations is that it allows the government to be more flexible, adjusting over time to ensure the rules are fit for purpose without passing a whole new law through Parliament. But right now, the specifics are a bit of an open question.

It’s worth saying that transparency also relies heavily on enforcement. C-36 creates powers vested within a new “Digital Safety and Data Protection Commission of Canada” to provide oversight around how data is being used by organizations which is a significant positive development.

Ability to effectively use third-party software and tools

This recommendation in Foundations of Digital Sovereignty was rooted in the need for users to be able to make use of third-party tools to enhance and expand their privacy in relation to platforms and systems they are using.

This isn’t really covered at all in C-36, but that probably makes sense. This might be a topic more appropriately explored in standards development, which the government has committed to engage in through its AI For All strategy.

 

Meaningful opt-out rights

In the context of data-governance, opt-out rights mean an alternative to the all-or-nothing deal that many digital platforms present to users today. If a user doesn’t want their data collected, they should have the ability to still use a service to whatever degree is possible without that collection.

The closest that C-36 gets to this is the right for a user to withdraw their consent for an organization to use their personal information — but this right is fairly narrowly tailored.

The Bill has some key elements that connect to the right to opt out. The right to withdraw consent with reasonable notice to the organization in whole or in part (subsection 17(1)) is the closest to an explicit mention of opt out rights. The withdrawal of consent is an important right, however it is importantly different from meaningful “opt-out” rights and is not quite the same. It also is important to call back again to the fact that withdrawal of consent might not be possible once data is used in AI or algorithmic systems which internalize data in ways that are very difficult to undo. The rights to withdraw consent are also currently in PIPEDA (4.3.8) and so this is not a major shift from existing privacy legislation.

Rights to have their information deleted or rectified

This is another data right that the Europeans have pioneered in GDPR with the right to rectification and the right to be forgotten.

In Bill C-36 there is a right to have information deleted, but with many caveats and requirements that make the right potentially difficult to apply.

Subsection 54 of the Bill allows individuals to make written requests for their personal information to be deleted by an organization. But the law would only require an organization to follow through on that request to delete data under 3 specific conditions:

  1. The information was used in contravention of the Act;
  2. Consent was withdrawn by the individual or
  3. The information is no longer necessary for the provision of a service or product requested by the individual.

These are fairly narrow conditions.

Subsection 54 also sets out an even longer list of exceptions, creating circumstances when an organization can ignore a request for deletion, including:

  • if the request was made in bad faith or is vexatious or
  • the disposal of the information would have an “undue adverse effect on the organization” outweighing the adverse effect of the retention of the information on the individual.

Notably, the new law specifies that de-identified data is not subject to requirements for disposal, which is significant because de-identified data can often be re-identified.

C-36 requires organizations to take reasonable steps to ensure that personal information is as accurate as is necessary for its purposes, but the proposed law stops short of providing Canadians with the right to have their personal information rectified if it is incorrect. This is strange given that the previous privacy law, PIPEDA, provided individuals the ability to request a correction of personal information, making this one of the few backsteps from PIPEDA.

On the value of data

In Chapter 4 of Foundations of Digital Sovereignty, we argued that strong data governance is about building public trust and empowering Canadians, but it’s also about creating the social licence for leveraging data for beneficial public re-use.

The fact that C-63 treats de-identified data as a category that does not need regulation, is a real shortcoming. De-identified data comes with risks of re-identification (which the bill acknowledges in its definition) and can still be used to enable harmful practices, like surveillance pricing.

There is a prohibition on using de-identified personal information to identify an individual, under most circumstances, which might help to prevent this misuse of re-identified data. However, this still does not account for the complexity of data valuation generally and the fact that even de-identified data has an intrinsic value which individuals should have the right to protect.

Overall the new legislation positive steps forward. Much of what is left out can be expanded and tweaked when the government drafts regulations, and this is likely a more sustainable way of governing these technologies anyway.

However, some questions still remain about what the core assumptions are about privacy rights in the Bill and how this will play out in the coming years as the Bill comes into effect.

More from Shield

Insights
06.18.2026

Back to Basics: Using Existing Powers to Assert Digital Sovereignty

Read the article
Insights
06.12.2026

Clouds Without Borders: Data Residency Is Not Data Sovereignty

Read the article
Insights
06.12.2026

Defence Spending Must Include a Dual-Use Strategy

Read the article
View all Updates
Don’t Miss an Update,
Subscribe to
Newsletter
Subscribe to receive our weekly newsletter that include reports, updates and much more.
Fields marked with an asterisk (*) are required

Newsletter

By subscribing, you agree to our Privacy Policy.
You can unsubscribe at any time.