Federal Privacy Reform Is Back: What Businesses Need to Know About the Upcoming December Bill

Written By Charmaine Nyanhemwa

After nearly a year of legislative silence following the prorogation of Parliament in January, federal privacy reform is returning to the table, and it is moving quickly.

Minister of Artificial Intelligence and Digital Innovation, Evan Solomon, has indicated that the government intends to introduce a new privacy and data protection bill in Parliament before the December holiday break. With the House scheduled to rise soon, we anticipate the text of the bill will be tabled in early December.

For Canadian businesses, this signals the end of the "wait and see" period that began when the former Bill C-27 died on the Order Paper. The new legislation promises a distinct shift in strategy: decoupling artificial intelligence regulation from core privacy rights and introducing aggressive new measures to protect digital identity and safety.

A Strategic Pivot: Separating AI from Privacy

One of the most significant takeaways from Minister Solomon’s announcement is the structural change to the legislation. Unlike its predecessor, Bill C-27, which bundled the Consumer Privacy Protection Act (CPPA) with the Artificial Intelligence and Data Act (AIDA), the new bill will focus exclusively on private sector data protection.

The government has confirmed that the AI portion of the legislation is being handled separately. This unbundling is likely intended to fast-track privacy reforms that have broad consensus, avoiding the complex and often contentious debates surrounding high-risk AI systems that slowed previous attempts.

Key Provisions to Watch

While the full text of the bill has not yet been released, the Minister has outlined three "compliance pillars" that will likely form the core of the new act:

1. The "Right to Delete" Deepfakes

In a direct response to the proliferation of synthetic media, the bill is expected to introduce a specific legal mechanism allowing individuals to demand the removal of deepfakes, AI-generated images or audio, that depict them without consent. This "right to delete" represents a novel modernization of the right to be forgotten, tailored specifically for the generative AI era.

2. Enhanced Protections for Children

Child safety online is a central theme of the new mandate. We expect the legislation to propose strict age-gating requirements for high-risk digital services, specifically AI-powered chatbots. Platforms may soon be required to verify user ages more rigorously before granting access to interactive AI tools, placing a new technical and compliance burden on digital service providers.

3. Penalties with Teeth

The government is signaling a move away from the "ombudsman" model toward a true enforcement model. The new bill is expected to include significant Administrative Monetary Penalties (AMPs) for non-compliance. If the framework mirrors the now-defunct CPPA, these penalties could be as high as 3% to 5% of global revenue for the most serious contraventions.

The Provincial Context: Catching Up to Quebec and Ontario

This federal initiative arrives at a time when Canada’s privacy landscape is becoming increasingly fragmented. While the federal government paused, the provinces moved forward:

  • Quebec’s Law 25 is fully operational, currently setting the highest bar for compliance in Canada with its strict consent and transparency rules.

  • Ontario’s FIPPA amendments have strengthened data governance for the public sector and aligned closely with modern digital standards.

The new federal bill is widely seen as Ottawa’s attempt to re-harmonize the national standard and prevent a patchwork of conflicting provincial regulations.

What This Means for Your Business

If your organization operates in Canada, the introduction of this bill in December will trigger an immediate need to review your data handling practices. The "right to delete" and age-verification requirements, in particular, may require changes to your technical architecture, not just your privacy policy.

Next Steps:

  1. Audit your data inventory: Ensure you can identify and isolate personal data quickly to comply with future deletion requests.

  2. Review AI integration: If you deploy customer-facing AI tools, begin assessing age-assurance technologies now.

  3. Monitor the tabling: The specific wording of the "transitional provisions" will determine how much time you have to come into compliance.

How We Can Help

Our Privacy & Data Protection group is monitoring the parliamentary docket closely. Once the bill is introduced in early December, we will provide a comprehensive breakdown of the text and a gap analysis against the former Bill C-27.

If you would like our team to conduct a preliminary "Privacy Health Check" to see how your current practices align with these expected changes, contact us today to schedule a consultation.

Charmaine Nyanhemwa
Previous

The Global Age-Gating Wave: What Australia’s Ban and Texas’s App Store Law Mean for AI Governance
Next

Does the EU AI Act Apply to My Canadian Startup? (A 3-Step Test)