Canada’s Privacy Reform: Familiar on the Surface, Divergent Underneath

Canada has decided its privacy law should look more like Europe’s, and that decision is the catch. On 15 June the federal government tabled Bill C-36, the Protecting Privacy and Consumer Data Act, and the resemblance to the GDPR is deliberate. For an organisation already governed by European rules, though, Canada’s privacy reform is not the convergence it appears to be. A second rulebook that borrows your vocabulary but sets its own thresholds does not lighten the load. It quietly doubles the surface you have to watch. Read that way, Canada’s privacy reform is less a gift to compliance teams than one more thing to track.

What Canada’s privacy reform actually changes

Bill C-36 would replace the privacy provisions of PIPEDA, the law that has governed Canadian private-sector data for two decades, with a statute that names privacy as a fundamental right. Enforcement moves to a newly created Digital Safety and Data Protection Commission, away from the Office of the Privacy Commissioner, and the regulator gains the power to issue binding orders rather than recommendations. The penalty ceilings move into GDPR territory: up to C$10 million or 3 per cent of global revenue for administrative breaches, and up to C$25 million or 5 per cent for the most serious offences. The substance is recognisably European in shape. There is a right to deletion that explicitly covers AI-generated deepfakes, heightened protection for children’s data as a sensitive category, and stronger transparency and challenge rights around automated decision-making. The new Commission also carries online-safety duties alongside privacy, folding into one regulator two mandates a European reader is used to keeping apart. Ottawa is selling the bill as both a trust framework for AI and a sovereignty instrument, the same twin justification Brussels has used for the AI Act. The government’s own announcement frames it as protecting Canadians in the digital age, and legal analysts have already flagged how far the text reaches.

Familiar on the surface, divergent underneath

The risk for European teams is not that Canada is doing something alien. It is that it is doing something almost the same. Canada’s privacy reform mirrors the GDPR closely enough to be mistaken for it, and the mistakes are expensive. A right to deletion that names deepfakes runs broader than the GDPR’s erasure right in one direction and narrower in others. Children’s data treated as categorically sensitive sits close to the GDPR but not flush against it. Automated-decision rights built around challenge and explanation echo Article 22, yet the trigger conditions and the carve-outs will be Canada’s own. Each near-match is a place where a control that satisfies the GDPR may not satisfy the new Canadian regime, and where a process built for Canada may overreach or fall short under the GDPR. Familiarity is the trap. It invites teams to assume the existing playbook ports cleanly, when the divergences hide in precisely the parts that look settled. We set out the same pattern in our work on transatlantic governance: two regimes can share a control map and still disagree on what counts as compliance.

What Canada’s privacy reform asks of EU-governed teams

If you process Canadian personal data, or run automated systems that touch people in Canada, the bill is a planning signal rather than an immediate duty, since it still has to pass Parliament. The mapping work starts now, not on royal assent, and in each of the places below Canada’s privacy reform diverges just enough to matter.

Where the gaps show up

• Adequacy. A statute that recasts the regulator, the penalties and the rights is the kind of change that feeds an adequacy review, and any shift in Canada’s standing would ripple through transfers you currently treat as low friction.
• Automated decisions. The gap between Article 22 and the Canadian version decides whether one explanation process serves both regimes or whether you need two, and our note on the right to explanation shows where these mechanisms tend to fail in practice.
• Impact assessments. Any system that decides about Canadians gains a second legal test to document against, and Canada’s legitimate-interest provision will not line up neatly with the GDPR’s.
• Contracts. Deletion and deepfake-removal duties that did not exist when your processor agreements were signed have to be read back into them.

None of this is urgent in the sense of a deadline. It is urgent in the sense that the cost of mapping divergence climbs the longer Canada’s privacy reform is filed as an aligned regime rather than a separate one. Treated as a separate regime from the outset, Canada’s privacy reform is a mapping exercise; treated as a copy, it becomes a latent finding waiting in your next audit.

The pattern worth naming

There is a wider lesson here for anyone tracking how privacy law travels. When a major economy models its rules on the GDPR, the headlines read as harmonisation while the operational reality reads as fragmentation. Each borrowed concept arrives with a local threshold, a local regulator and a local appetite for enforcement. For a governance lead, the task is not to admire the resemblance but to find the seams where it breaks. Canada’s privacy reform is the newest seam, and on this evidence it will not be the last. Mapping where Canada’s privacy reform pulls away from the GDPR is the real work the bill raises, not celebrating the family resemblance. Our note on AI governance divergence sets out the signals that should already be resetting your 2026 compliance roadmap, and a near-twin regime is exactly that kind of signal.