Who Actually Enforces Your Privacy? Why Bills C-34 and C-36 Should Worry Canadians
Based on the first-reading texts of Bill C-34 (June 10, 2026) and Bill C-36 (June 15, 2026), and analysis by law professor Michael Geist. These bills are early drafts and will change.
A Brief Summary
Most Canadians assume the Privacy Commissioner of Canada protects their privacy when a bank, an airline, an insurer, or a retailer handles their personal information. After all, that office has very deep knowledge in all matters privacy and data protection. If Bill C-36 passes as written, that stops being true. The Privacy Commissioner would no longer enforce private sector privacy law at all. That job would move to a brand-new body that also polices online speech and content.
This article is only about enforcement. It is about who holds the whistle, who hands out the penalties, and why the answer matters.
Two bills, one new referee
Bill C-34, the Safe Social Media Act, builds a new regulator called the Digital Safety Commission of Canada. Its job is online safety: a social media age limit, age checks, design rules for kids, and the policing of harmful content like child sexual abuse material, intimate images shared without consent, content that pushes a child toward self-harm, bullying, hate, incitement to violence, and terrorist content.
Five days later, Bill C-36, the Protecting Privacy and Consumer Data Act, did something the public did not see coming. It renamed that same body the Digital Safety and Data Protection Commission of Canada and bolted private sector privacy onto its list of jobs. Michael Geist describes it as a five-member commission, with all five members appointed by Cabinet. So one small group would now referee both online content across the country’s biggest platforms and the way every business in Canada collects, uses, and shares personal information.
As Geist puts it, the name lasted only days before privacy got added on top.
How enforcement would work
Under Bill C-36, the privacy side gets its own internal setup. Cabinet picks one member of the Commission to be the new Privacy and Consumer Data Commissioner. That person, plus at least one other member, forms the Privacy and Consumer Data Division, which acts as the tribunal that hands out penalties and reviews decisions.
The basic path looks like this. A person files a complaint. The Commissioner investigates, though this new law gives many reasons to decline. The Commissioner can strike a compliance agreement or issue a notice of contravention with a proposed order and a penalty. Cases can be reviewed by the Division and appealed to the Federal Court. Individuals also get a private right of action to sue for damages in some cases. Remember CASL? That Private Right of Action lasted 7 years – right up to 10 days before it was to come into force, and the then head of ISED, Navdeep Bains, “indefinitely postponed it”. That very same day, CASL was removed from all organization’s priority lists.
The penalty for a privacy breach can reach the greater of ten million dollars or three percent of a company’s gross global revenue. That number only applies to a specific list of provisions, not every rule in the Act. The law also states that the purpose of a penalty is to encourage compliance and not to punish.
Bill C-34 carries its own enforcement toolkit for the online safety side: inspectors, warrants to enter premises, compliance orders, hearings, undertakings, and administrative penalties. Its monetary penalties reach the greater of ten million dollars or three percent of gross global revenue, and its criminal fines for operators can climb to the greater of twenty million dollars or five percent of gross global revenue. Clearly, the same commission would wield very large sticks across two very different worlds.
Here is the part that should stop you
The Privacy Commissioner of Canada is not just another government office. It is an Agent of Parliament. The holder is confirmed by both the Senate and the House of Commons and reports directly to Parliament rather than to a minister. That setup exists for one reason: so the watchdog can hold the government itself to account without asking the government’s permission.
Bill C-36 takes private sector privacy away from that independent watchdog and gives it to a Cabinet-appointed member of a commission whose chairperson and majority are focused on online content. The Privacy Commissioner does not disappear. The office keeps the public sector Privacy Act. But on the private sector side, the side that touches your bank, your phone company, your insurer, and every store you shop at, the independent, and more important, deeply knowledgeable referee is taken off the field.
In plain terms, the body that decides whether a company broke privacy rules would be appointed by, and sit closer to, the very government whose own data practices privacy law is supposed to keep in check. That is a serious drop in independence. A regulator that is not structurally independent cannot reliably pull the government into line, no matter how the job description reads.
Why this is unusual, and why that should give you pause
Geist correctly points out that none of Canada’s democratic peers hands private sector privacy to the same body that polices online harms. The common model keeps them apart on purpose.
- In the European Union, the GDPR requires each country to keep an independent data protection authority, and online content sits with a separate coordinator.
- The United Kingdom keeps privacy at the Information Commissioner’s Office and online safety at Ofcom, two different bodies.
- Australia splits privacy at its Information Commissioner from online safety at its eSafety Commissioner.
Canada would be doing the opposite, folding both into one Cabinet-appointed group. When everyone else builds a fence between two jobs and you tear it down, that is worth a hard look, not a fast vote. As I often say, “No good picking up speed if you’re on the wrong road”. Effective enforcement is the key to any new law. I am not convinced this structure is best for all Canadians and our standing in the world.
There are knock-on worries too. The European Union grants Canada an “adequacy” status that lets data flow freely between them, and that status depends on Canada having an independent data protection authority. Remove the independent authority and you put that arrangement, and the trade that rides on it, in question. There is also the tangle with provincial privacy laws and provincial commissioners, who share this space and now must figure out how they fit.
One more telling detail. Bill C-34 currently tells the Commission to consult the Privacy Commissioner when it builds age-verification technology, a sensible privacy check given how much personal data age checks can sweep up. Geist reports the government plans to repeal that consultation once C-36 takes effect. The independent privacy voice gets written out of the room there too.
At the End of the Day
Strip away the legal language and the concern is simple. A core public protection is being moved from an independent watchdog that answers to Parliament to a new super-regulator that answers much more closely to Cabinet, and it is happening inside a large bill rather than through the kind of open, extended consultation a change this big deserves.
You do not have to agree on every policy detail to see the problem with the process and the structure. The question every Canadian should be asking is plain: when a company mishandles my personal information, who is the independent referee, and do they have the power and the distance to call it straight, within a reasonable time-frame?
Note: These are first-reading bills. Provisions, numbers, and even the names of the bodies involved are likely to shift as the bills move through committee and public consultation. Stay tuned. Newport Thomson is working with PACC to develop a Public Consultation position that can be presented to the House of Commons.
