Bill C-27, the Digital Charter Implementation Act, 2022, would fundamentally reshape Canada's federal private-sector privacy landscape. If passed, it would repeal and replace PIPEDA with three new statutes: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). Every Canadian business that handles personal information needs to understand what's coming.
Why is Canada Replacing PIPEDA?
PIPEDA has been in force since 2001 — an era before smartphones, cloud computing, social media, and AI. The federal government determined that PIPEDA's principles-based approach, while flexible, no longer provided sufficient protection in the modern data economy. The CPPA is designed to bring Canada closer to the GDPR standard and respond to the European Commission's adequacy review of Canadian privacy law.
Key Changes Under the CPPA
The CPPA introduces several significant changes from the current PIPEDA regime. It codifies a right to data portability, giving individuals the right to have their data transferred to another organization. It creates a right to erasure (the "right to be forgotten") in certain circumstances. It introduces enhanced consent requirements with specific rules for sensitive information. And it dramatically increases penalties for violations.
Dramatically Higher Penalties
Under PIPEDA, the maximum penalty for non-compliance is $100,000. Under the CPPA, penalties for the most serious violations can reach 5% of global annual revenue or $25 million, whichever is greater. This brings Canada in line with GDPR penalty levels and signals a fundamental shift in how the federal government views privacy enforcement.
New Tribunal for Privacy Disputes
The CPPA would create a new Privacy Protection Tribunal to hear appeals from decisions of the Privacy Commissioner and to impose administrative monetary penalties. This gives the privacy enforcement regime real teeth — unlike PIPEDA, where the Commissioner can only make recommendations.
What Should Canadian Businesses Do Now?
Even though Bill C-27 has not yet passed, the direction of travel is clear. Canadian businesses should use this period to strengthen their privacy programs, conduct privacy impact assessments, review their consent mechanisms, map their data flows, and implement the technical safeguards that the CPPA will require. Organizations that start now will be well-positioned when the new law comes into force.
The regulated professionals SecureVault serves — law firms, CPAs, healthcare providers, financial advisors — will face the highest scrutiny under any new privacy regime given the sensitivity of the information they handle. Building strong privacy infrastructure now is not just good compliance practice; it's a competitive advantage.
Protect your clients' documents with SecureVault
Canadian-hosted, PIPEDA-compliant document security built for regulated professionals.
Start Free Trial →