Search
Close this search box

Newport Thomson

  • Home
  • PIPEDA
  • Canada Reopens the Privacy Act: What It Means for Organizations That Work With Government
June 13, 2026Privacy

Canada Reopens the Privacy Act: What It Means for Organizations That Work With Government

The headline

On April 2, 2026, the federal government launched a formal review of the Privacy Act – the law governing how more than 250 federal institutions handle the personal information of Canadians. The Act has not been substantially updated since 1983. A policy paper accompanies the review, and the public consultation window closes July 10, 2026, with a consolidated findings report expected in late 2026 or early 2027.

This is distinct from PIPEDA, CASL, and Quebec’s Law 25, which govern the private sector. The Privacy Act governs government. But the distinction matters less than it first appears, and that is the point of this brief.

Why private-sector organizations should care

New obligations placed on federal institutions rarely stop at the institution’s door. When government tightens its own data-handling rules, mandatory privacy impact assessments, breach reporting, stronger safeguards, those requirements flow downhill to the vendors, contractors, and service providers who handle personal information on the government’s behalf. What is written as a public-sector duty becomes a contract clause for the companies in the supply chain.

If your organization holds a government contract, bids on one, or processes data for a federal program, the rules being drafted now will shape the terms you are asked to sign later. The prudent move is to assess current data-handling practices against the direction of travel before that direction becomes a procurement requirement.

What the government is proposing

The reform proposals are organized into six themes. The provisions most relevant to organizations in the government supply chain:

  • Data sharing across programs. Federal departments would be able to share and reuse personal data so Canadians provide their information only once. This is framed as a service-delivery benefit; it also concentrates privacy risk.
  • Mandatory privacy impact assessments before high-risk initiatives, with strengthened transparency obligations – including for automated decision-making.
  • A necessity test for collecting and retaining personal information, limiting data collection to what is actually required.
  • Mandatory breach reporting, with design questions still open on thresholds, timelines, and record-keeping.
  • Privacy recognized as a fundamental right, through an amended purpose clause or preamble.
  • Stronger enforcement. The Privacy Commissioner, who can currently only issue non-binding recommendations, would gain authority to require institutions to develop and report on a corrective action plan, with non-compliance referable to the Federal Court.

The gap worth watching

The most useful insight from the legal analysis is the daylight between what the government is offering and what the Privacy Commissioner (the OPC) has asked for. Three examples:

  • Necessity vs. necessity and proportionality. The government proposes a necessity test. The OPC wants necessity and proportionality or a higher bar requiring institutions to show an intrusion is not merely necessary but justified relative to the objective.
  • Automated decision-making. The government leans toward keeping AI governance as a policy directive. The OPC wants it written into the statute, on the reasoning that a policy can be quietly changed while a law cannot.
  • Enforcement teeth. The government offers a corrective action plan mechanism rather than the full binding order-making powers the OPC has long sought.

This gap is the substance of the consultation. A statute that names privacy as a fundamental right but stops short of making it operative is a symbolic gesture, not an enforceable framework. As the saying goes: there’s no good picking up speed if you’re on the wrong road. The quality of stakeholder input over the next several months will determine whether this review delivers transformative reform or incremental change.

Recommended actions

  1. If you hold or pursue government contracts: review current data-handling and privacy compliance practices now, in anticipation of downstream obligations.
  2. If your sector will be affected: consider submitting comments through the consultation form before the July 10, 2026 deadline. Reform shaped by broad engagement is harder to dilute later.
  3. For all organizations: treat the direction of this review as a signal of where Canadian privacy expectations are heading generally, necessity, transparency, breach reporting, and accountability are becoming the baseline, not the exception.

This summary is for information purposes and is not legal advice. Organizations with specific concerns should seek qualified counsel.

Leave a Reply