Bill C-36, the Consumer Privacy and Data Protection Act, is a broad-based initiative to try to manage privacy issues, especially for children. This is the first major overhaul of Canadian privacy laws in decades, targeting AI security risks.
The bill is also a good example of how incredibly complex the legal regulation of data privacy has become as AI emerges as the driving factor of digital life. It is a very demanding environment for managing basic laws at the most basic level.
In practice, Bill C-36 may involve simple privacy issues or broad-spectrum privacy breaches as large as the recent major data breaches. In its current form, the bill looks very much like a clampdown on privacy issues at every scale.
With ongoing and growing global demands for effective AI governance, Bill C-36 could become a test case for the future of AI regulation around the world.
This is also not an easy target at any level of practical implementation. Bill C-36 covers such a wide range of possible future issues. The current legislation now before first reading in Parliament includes 147 specific sections.
The summary section of Bill C-36 is an indication of the degrees of difficulty:
This act adopts the Law on Protection of Privacy and Consumer Data to regulate the protection of personal information of individuals taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities.
This is a very broad foundation for regulating almost anything and everything related to privacy, compliance and enforcement. The other big issue in this legislation is “data inference,” not just data collected online, but indirect profiling and patterns used to identify people and markets.
This is a huge privacy issue in that people can be identified by inferences drawn from hard data and “miscellaneous data”, creating a picture of their health, financial affairs and more. It is the workhorse of targeted advertising, phishing and the de facto source of profiling. People can be identified indirectly by other behaviors and patterns.
With the advent of AI, conclusions have entered an entirely new frame of reference for regulation. In legal terms, it is a sandbox. The new terminology refers to “de-identification” and “re-identification,” which describe the process of privacy erosion or complete destruction by AI inferences. This also exposes the almost total inadequacy of current privacy laws. These processes did not even exist when most privacy laws were passed.
The role of Bill C-36
The Bill includes functional roles in Part 2, including multiple delegations:
Creation of a Commission and its powers, duties and functions
Appointment of a Commissioner
Division
Codes of Practice and Certification
Legal remedies Submission of complaints
Investigation of Complaints
Compliance Agreements
Audits
complaints
Enforcement of Orders
Certificate under the Canada Evidence Act
Amendments and Provisions of Entry into Force
As dry as it sounds, this is a map of the entire framework for Bill C-36, the Privacy and Consumer Data Protection Act. This is a description of how the law should work to achieve its goals. It is effectively a new jurisdiction.
The Realities of AI Privacy Regulation
It is important to note that any new legislation has built-in issues, and Bill C-36 has all the ingredients for ongoing updates to manage a very murky legal environment:
Legislation needs to be adapted. The bill is just the beginning. Even at this early stage, Bill C-36 may be subject to amendment before it is passed or even redrafted to address new issues.
Untested legislation inevitably evolves. The true test of legislation is by challenge or dispute. From case law or the need for new regulations, untested legislation is a work in progress from the day it comes into effect. The bigger the role, the wider the field of evolution.
The regulatory range of legislation defines its challenges. This bill, in particular, is written almost entirely in uncharted legal territory, simply because of the drastic expansion of the legal framework made possible by AI capabilities. Each aspect will be subject to future court decisions and challenges.
“AI Termination Factor” it is a very harsh call for regulation. AI inferences work on everything from hard data to new or “invisible” data. At what point do inferences violate privacy laws? How do you prove a privacy breach or the effects of a breach? That’s exactly what Bill C-36 is dealing with.
Laws must be consistent and applied consistently. Laws cannot contradict each other. There are also numerous related acts that need to be amended to cover their functions in relation to Bill C-36. Parts 3 and 4 of the draft law refer to 17 other acts and Statute of Canada 2010.
A first step towards the future
A very strong positive for Bill C-36 is that it directly addresses gaping holes in global data privacy and broad spectrum regulation despite the rapid adoption of laws in 140 countries. Most privacy laws around the world are a hodgepodge of provisions that treat privacy as an abstract concept rather than at a functional level. They also As the EU’s General Data Protection Regulation predates modern AI, which is a critical theme of Bill C-36. Some are tougher than others, but ground level enforcement is a very new ball game. This is where Bill C-36 is breaking new ground.
The highly fluid nature of technology has created these problems as the actual circumstances of privacy breaches change. Courts are the default arbitrators, but even courts must work with the theory of remedies and whether existing regulations adequately address the circumstances.
The same applies to data management. It’s quite possible, especially with AI, to inadvertently and unintentionally violate privacy without knowing you’ve done it. This bill at least clarifies the rules at the operational level to a large extent.
This first step is to get a handle on the realities of privacy in the Age of AI. Let’s hope it works.





