Bill C-27 Digital Charter: What You Need to Know in 2026
Canada's privacy framework is undergoing its most significant transformation in more than two decades. Bill C-27, formally known as the Digital Charter Implementation Act, 2022, proposes to modernize how organizations collect, use, and disclose personal information — and, for the first time in Canadian federal law, how they develop and deploy artificial intelligence systems. Whether you run a small e-commerce shop in Halifax or lead compliance at a Toronto-based fintech, understanding Bill C-27 is now essential.
This guide breaks down what Bill C-27 is, the three laws it introduces, how it differs from PIPEDA, what penalties look like, and the concrete steps Canadian businesses should take to prepare.
What Is Bill C-27?
Bill C-27 is a Canadian federal bill that would replace parts of the current federal privacy statute, PIPEDA (the Personal Information Protection and Electronic Documents Act), and introduce brand-new rules for artificial intelligence. It is the government's second attempt to implement the Digital Charter, a ten-principle policy framework first announced in 2019 that promises stronger privacy rights, clearer consent rules, and meaningful enforcement.
The bill is structured as three separate acts bundled together:
- The Consumer Privacy Protection Act (CPPA) — replaces the private-sector privacy rules in PIPEDA.
- The Personal Information and Data Protection Tribunal Act — creates a new tribunal with the power to impose financial penalties.
- The Artificial Intelligence and Data Act (AIDA) — Canada's first federal AI-specific legislation, focused on "high-impact" systems.
Bill C-27 was introduced in June 2022 and has moved through committee study. Even in its pre-Royal-Assent form, it is shaping how forward-looking Canadian businesses design their privacy and AI governance programs.
The 10 Principles of the Digital Charter
Before diving into the legal machinery, it helps to understand the political vision behind Bill C-27. The Digital Charter sets out ten guiding principles:
- Universal access to digital services
- Safety and security online
- Control and consent over personal data
- Transparency, portability, and interoperability
- Open and modern digital government
- A level playing field for businesses
- Data and digital for good
- Strong democracy
- Freedom from hate and violent extremism
- Strong enforcement and real accountability
Bill C-27 attempts to translate principles 3, 4, 6, 7, and 10 into enforceable law.
The Consumer Privacy Protection Act (CPPA)
The CPPA is the heart of Bill C-27. It carries forward much of PIPEDA's structure but tightens definitions, strengthens individual rights, and introduces steep penalties.
Key Changes from PIPEDA
- Plain-language consent: Organizations must explain, in clear terms, what data is collected, why, who it's shared with, and any reasonably foreseeable consequences.
- Right to deletion ("disposal"): Individuals can request that their personal information be deleted, subject to limited exceptions.
- Data portability: Individuals can request that their information be transferred between designated organizations.
- Algorithmic transparency: Individuals may request an explanation of predictions, recommendations, or decisions made about them by automated decision systems.
- Minors' data: The personal information of minors is treated as "sensitive" by default, triggering higher protection standards.
- De-identification and anonymization: The bill defines both terms and sets rules for when de-identified data can be used without consent.
- Codes of practice and certification: Industries can develop sector-specific codes, approved by the Privacy Commissioner, to demonstrate compliance.
New Rights for Canadians Under the CPPA
- Right to know what personal information is held about them
- Right to have inaccurate information corrected
- Right to withdraw consent
- Right to request disposal (deletion)
- Right to data mobility between designated organizations
- Right to an explanation of automated decisions
The Personal Information and Data Protection Tribunal
One of the loudest criticisms of PIPEDA has been weak enforcement. The Privacy Commissioner of Canada could investigate and recommend, but had no power to fine. Bill C-27 changes that by creating a dedicated tribunal.
Under the new structure:
- The Privacy Commissioner investigates complaints and can issue compliance orders.
- The Commissioner may recommend administrative monetary penalties.
- The Personal Information and Data Protection Tribunal reviews recommendations and imposes penalties.
- Tribunal decisions can be appealed to the Federal Court of Appeal.
How Big Are the Penalties?
Bill C-27 introduces two tiers of financial consequences, some of the highest in the G7:
| Type | Maximum Penalty | Triggering Conduct |
|---|---|---|
| Administrative monetary penalty | Greater of $10 million CAD or 3% of global gross revenue | Serious contraventions of the CPPA (e.g., failure to obtain valid consent, inadequate safeguards) |
| Offence on indictment (criminal) | Greater of $25 million CAD or 5% of global gross revenue | Knowing violations, obstruction, or failure to report breaches |
For context, PIPEDA's current maximum fine sits at $100,000 for very specific offences. The jump is dramatic and puts Canada roughly in line with the EU's GDPR.
The Artificial Intelligence and Data Act (AIDA)
AIDA is the third and most novel component of Bill C-27. It establishes a risk-based framework for regulating AI systems in the private sector.
What AIDA Covers
AIDA focuses on "high-impact" AI systems — the exact scope will be defined by regulation, but early government companion documents suggest the following categories:
- Screening systems used in employment
- Biometric identification and behavioural inference
- Systems influencing access to essential services (credit, housing, insurance)
- Content moderation and recommender systems at scale
- Health-care and safety-critical systems
- Law enforcement and immigration applications
Core Obligations for AI Developers and Deployers
- Risk assessment: Identify and mitigate risks of harm and biased output.
- Monitoring: Continuously monitor systems for compliance and adverse effects.
- Transparency: Publish plain-language descriptions of high-impact systems.
- Record keeping: Maintain documentation of datasets, testing, and mitigation measures.
- Incident reporting: Report material harms to the Minister of Innovation, Science and Industry.
Non-compliance can lead to administrative penalties, and in cases of reckless or fraudulent AI use causing serious harm, criminal fines and even imprisonment.
How Bill C-27 Compares to PIPEDA and GDPR
| Feature | PIPEDA (current) | Bill C-27 (CPPA) | EU GDPR |
|---|---|---|---|
| Right to deletion | Limited | Yes ("disposal") | Yes ("right to be forgotten") |
| Data portability | No | Yes (between designated orgs) | Yes |
| Algorithmic transparency | No | Yes | Yes (Art. 22) |
| Max fine | $100,000 | 5% of global revenue or $25M | 4% of global revenue or €20M |
| Breach notification | Yes | Yes (expanded) | Yes (72 hours) |
| AI-specific rules | No | Yes (AIDA) | Separate EU AI Act |
| Enforcement body | Privacy Commissioner (advisory) | Commissioner + Tribunal | National DPAs |
Who Does Bill C-27 Apply To?
The CPPA applies to organizations that collect, use, or disclose personal information in the course of commercial activities across provincial or national borders — mirroring PIPEDA's scope. It also applies to federally regulated businesses (banks, telecoms, airlines, interprovincial transport).
Provinces with "substantially similar" private-sector laws — Quebec, British Columbia, and Alberta — will continue to have their own regimes apply intra-provincially. Quebec's Law 25, in particular, has already raised the bar and in many ways served as a preview of what Bill C-27 aims to accomplish federally.
AIDA has a broader reach: any organization that designs, develops, or makes available high-impact AI systems in the course of international or interprovincial trade will be captured.
Pros and Cons of Bill C-27
Pros
- Brings Canadian privacy law closer to global standards, easing cross-border data flows with the EU.
- Real enforcement teeth via the Tribunal and significant penalties.
- Modernizes rules for de-identification, minors' data, and automated decisions.
- First federal AI framework, providing legal clarity for AI developers.
- Encourages sector-specific codes of practice, reducing one-size-fits-all compliance burdens.
Cons
- AIDA has been criticized for leaving too much to future regulations, creating uncertainty.
- Compliance costs will rise, particularly for SMEs.
- Definitions of "legitimate interest" and "anonymized" data have drawn concern from privacy advocates.
- The Tribunal adds a layer between complainants and enforcement, potentially slowing outcomes.
- Bill has faced significant delays and amendments, leaving businesses in limbo.
How Canadian Businesses Should Prepare
Even though Bill C-27 has not yet received Royal Assent at the time of writing, prudent organizations are already preparing. Here is a practical roadmap:
- Map your data. Know what personal information you collect, where it's stored, who has access, and where it flows internationally.
- Refresh your privacy notices. Rewrite them in plain language, itemize purposes, and explicitly describe automated decision-making.
- Build a deletion workflow. Design a system to honour disposal requests within statutory timelines.
- Audit your vendors. Third-party processors are a common source of exposure. Update your data processing agreements.
- Inventory your AI. Catalogue every model in production, its inputs, training data, and downstream impact — this is the foundation of AIDA readiness.
- Appoint accountability. Designate a privacy officer and, where relevant, an AI governance lead.
- Tighten security. Review encryption, access controls, and breach response playbooks.
- Train employees. Human error remains the top cause of privacy breaches.
Practical Privacy Tools for Small Businesses
Small Canadian businesses often struggle with tooling. A few practical building blocks help: encrypted DNS resolvers, privacy-respecting analytics, secure password managers, and platforms that minimize what they collect by design. For marketing links, for example, choosing a link management tool that doesn't hoard visitor data matters. Services like Lunyb offer link shortening with a privacy-forward posture — a small choice that reduces your data footprint and simplifies your compliance story. If you're evaluating options, our 2026 buyer's guide to URL shorteners and our honest Lunyb review compare the leading tools on privacy, features, and price. You can also see how legacy players stack up in our Rebrandly review for 2026.
What Happens If Bill C-27 Doesn't Pass?
Even if Bill C-27 stalls or is redrafted after an election cycle, its core policy directions — meaningful penalties, expanded individual rights, and AI oversight — are unlikely to disappear. Provincial laws (especially Quebec's Law 25), Canada's adequacy status with the EU, and industry expectations are all pushing in the same direction. In short: preparing for C-27 is preparing for the future of Canadian privacy law, whatever its final legislative form.
Frequently Asked Questions
When will Bill C-27 come into force?
Bill C-27 has not yet received Royal Assent. Once passed, the government has signalled a transition period (likely 12–24 months) before enforcement begins, with AIDA regulations to follow. Businesses should assume a compliance horizon of the next 1–3 years.
Does Bill C-27 replace PIPEDA entirely?
No. Bill C-27 replaces PIPEDA's private-sector privacy rules (Part 1). PIPEDA's electronic documents provisions remain. Federal public-sector privacy is still governed by the separate Privacy Act.
How does Bill C-27 affect small businesses?
Small businesses that handle personal information commercially will need to update consent language, honour new individual rights (like deletion and portability), and strengthen safeguards. The bill allows for codes of practice that can make compliance more proportionate for smaller organizations, but the fundamental obligations still apply.
What counts as a "high-impact" AI system under AIDA?
The final list will be set by regulation, but expected categories include AI used in hiring, biometric identification, essential services (credit, insurance, housing), large-scale content moderation, health care, and law enforcement. If your AI materially affects someone's rights, safety, or economic opportunities, assume it will be captured.
How does Bill C-27 interact with Quebec's Law 25?
Quebec's Law 25 continues to apply to personal information handled within Quebec. Where activities cross provincial or national borders, the CPPA will apply. Many organizations subject to Law 25 will find they already meet a substantial portion of C-27's requirements — but not all, particularly on AI and disposal rights.
What are the biggest fines under Bill C-27?
Administrative penalties can reach the greater of $10 million CAD or 3% of global gross revenue. For the most serious criminal offences, fines can reach the greater of $25 million CAD or 5% of global gross revenue — among the highest in the world.
Final Thoughts
Bill C-27 represents a genuine paradigm shift for Canadian privacy and technology law. It elevates individual rights, gives regulators real enforcement power, and — through AIDA — begins the difficult work of governing artificial intelligence. The organizations that will thrive are the ones that treat privacy and AI governance not as compliance boxes but as trust-building infrastructure. Start mapping your data, auditing your models, and choosing privacy-respecting tools now. The Digital Charter era is coming, whether Bill C-27 passes this session or the next.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
GDPR After Brexit: What Changed for UK Businesses in 2026
Brexit split GDPR into two parallel regimes: the UK GDPR and the EU GDPR. This guide explains what changed for British businesses, from international data transfers and the end of the one-stop shop to ICO enforcement and the future of UK data protection reform in 2026.
Singapore PDPA vs GDPR: Key Differences Every Business Must Know
Singapore's PDPA and the EU's GDPR share the same goal but differ in scope, consent rules, penalties, and individual rights. This guide breaks down the key differences and offers a practical compliance roadmap for Singapore businesses handling personal data across borders.
Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses
Canada's privacy landscape has shifted dramatically heading into 2026, with Quebec's Law 25 fully in force and federal reform through the CPPA on the horizon. This guide explains your rights, business obligations, and practical steps to protect personal information.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes how platforms handle content, encryption, and user identity. We break down what it means for your privacy in 2026, who is most affected, and practical steps you can take to protect your data under the new regime.