Introduction
While reforms to Canada’s federal privacy legislation are on hold, legislative developments continue in some Canadian provinces. This article provides a brief overview of several federal privacy bills that were halted with the prorogation of Parliament in early 2025, and a federal election held on April 28. It also addresses how the provinces ofAlberta, Ontario, and Quebec are advancing their own privacy legislation.
Status of federal reforms
On January 6, 2025, Parliament was prorogued with a proclamation of the Governor General on the advice of the Prime Minister, putting an end to the parliamentary session. Bill C-27 died at the time of prorogation along with Bill C-26 and Bill C-63. A snap federal election was then called on March 23, 2025, with an election held on April 28, 2025, resulting in further uncertainty about the timeline for federal privacy reforms.
Bill C-27 was Parliament’s major legislative reform to strengthen private sector privacy protections by modernizing how regulated organizations handle personal information. Bill C-27 proposed to repeal Part I of the Personal Information Protection and Electronic Documents Act, and replace it with the Consumer Privacy Protection Act (CPPA).
The CPPA strengthened organizational accountability and individual privacy rights by requiring privacy management programs, enhancing consent practices, and outlining specific rules for minors’ information, among other reforms.
Bill C-27 would also have introduced the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA).
The Tribunal under the PIDPTA would have had jurisdiction over appeals from the Privacy Commissioner’s decisions, compliance orders, and recommended penalties under the CPPA.
The AIDA sought to regulate international and interprovincial trade and commerce in AI systems by establishing common requirements applicable across Canada.
Bill C-26, entitled the Cyber Security Act, represented a significant step in protecting Canada’s critical cyber infrastructure. The Bill gave the federal government the power to enforce cybersecurity standards in industries critical to national security and public safety. The Bill introduced mandatory reporting obligations, and new regulatory powers with penalties for non-compliance.
Bill C-63, the Online Harms Act, aimed to promote Canadians’ online safety by imposing duties on social media platforms to act responsibly and implement measures to mitigate exposure to harmful content.
As it remains uncertain whether these Bills, or similar bills, will be reintroduced in the next Parliament, the provinces are moving ahead updating their privacy laws.
Provincial legislative updates
Alberta
Alberta is exploring changes to its private sector privacy regime – the Personal Information Protection Act (PIPA). The Standing Committee on Resource Stewardship concluded its review of PIPA and released its recommendations on February 21, 2025.
The Committee proposed stronger enforcement powers for the Information and Privacy Commissioner, clarifying consent and significant harm definitions, and protecting minors’ information among other recommendations.
Cabinet will review these recommendations and determine how to implement them into the next iteration of PIPA.
Ontario
Ontario’s Enhancing Digital Security and Trust Act (EDSTA) received royal assent on November 25, 2024. The Act imposes new requirements on the public sector regarding cyber security, artificial intelligence and minors.
Under the legislation, the provincial government can require public sector entities to implement cyber security programs, which may include designating responsible personnel for ensuring cyber security and response and recovery measures after a cyber incident.
The legislation also requires public entities using AI to publicly disclose their use of AI, implement an accountability framework, establish risk management measures, and refrain from any use of AI that is prohibited by regulations.
The Act would apply to all institutions covered by the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), as well as children’s aid societies and school boards.
Quebec
Lastly, Quebec has enacted comprehensive privacy legislation with its Private Sector Act across multiple phases of implementation, most recently introducing data portability rights and data anonymization requirements for organizations.
Quebec also introduced further compliance requirements for financial institutions, which include developing an incident management policy addressing detection, assessment, and response, as well as reporting to the the Autorité des marchés financiers (AMF), effective April 23, 2025.
Conclusion
The fate of federal privacy reform remains uncertain; however some Canadian provinces have taken significant steps in updating their privacy legislation. These changes impact public and private sector organizations operating across Canadian jurisdictions.
Article provided by INPLP member: Wendy Wagner (Gowling WLG, Canada)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
