Based on the first-reading texts of Bill C-34 (June 10, 2026) and Bill C-36 (June 15, 2026), and analysis by law professor Michael Geist. These bills are early drafts and will change.

A Brief Summary

Most Canadians assume the Privacy Commissioner of Canada protects their privacy when a bank, an airline, an insurer, or a retailer handles their personal information. After all, that office has very deep knowledge in all matters privacy and data protection. If Bill C-36 passes as written, that stops being true. The Privacy Commissioner would no longer enforce private sector privacy law at all. That job would move to a brand-new body that also polices online speech and content.

This article is only about enforcement. It is about who holds the whistle, who hands out the penalties, and why the answer matters.

Two bills, one new referee

Bill C-34, the Safe Social Media Act, builds a new regulator called the Digital Safety Commission of Canada. Its job is online safety: a social media age limit, age checks, design rules for kids, and the policing of harmful content like child sexual abuse material, intimate images shared without consent, content that pushes a child toward self-harm, bullying, hate, incitement to violence, and terrorist content.

Five days later, Bill C-36, the Protecting Privacy and Consumer Data Act, did something the public did not see coming. It renamed that same body the Digital Safety and Data Protection Commission of Canada and bolted private sector privacy onto its list of jobs. Michael Geist describes it as a five-member commission, with all five members appointed by Cabinet. So one small group would now referee both online content across the country’s biggest platforms and the way every business in Canada collects, uses, and shares personal information.

As Geist puts it, the name lasted only days before privacy got added on top.

How enforcement would work

Under Bill C-36, the privacy side gets its own internal setup. Cabinet picks one member of the Commission to be the new Privacy and Consumer Data Commissioner. That person, plus at least one other member, forms the Privacy and Consumer Data Division, which acts as the tribunal that hands out penalties and reviews decisions.

The basic path looks like this. A person files a complaint. The Commissioner investigates, though this new law gives many reasons to decline. The Commissioner can strike a compliance agreement or issue a notice of contravention with a proposed order and a penalty. Cases can be reviewed by the Division and appealed to the Federal Court. Individuals also get a private right of action to sue for damages in some cases. Remember CASL? That Private Right of Action lasted 7 years – right up to 10 days before it was to come into force, and the then head of ISED, Navdeep Bains, “indefinitely postponed it”. That very same day, CASL was removed from all organization’s priority lists.

The penalty for a privacy breach can reach the greater of ten million dollars or three percent of a company’s gross global revenue. That number only applies to a specific list of provisions, not every rule in the Act. The law also states that the purpose of a penalty is to encourage compliance and not to punish.

Bill C-34 carries its own enforcement toolkit for the online safety side: inspectors, warrants to enter premises, compliance orders, hearings, undertakings, and administrative penalties. Its monetary penalties reach the greater of ten million dollars or three percent of gross global revenue, and its criminal fines for operators can climb to the greater of twenty million dollars or five percent of gross global revenue. Clearly, the same commission would wield very large sticks across two very different worlds.

Here is the part that should stop you

Read The Full Article at Newport Thomson

Check Also

Bill C-36 and the Future of Canada’s Federal Private Sector Privacy Law: What Has Changed, What It Means, and What to Do Now

Introduction Canada’s federal private sector privacy reform has returned, and it is not me…