Bill C-36: Canada tackles deepfakes and surveillance pricing

TORONTO, ON –

Positioned as a major reset for the current federal private-sector privacy law in the AI era, Canada’s new Bill C-36 is one of the most important digital regulation developments this year.

Bill C-36 recognizes privacy as a fundamental right, promises stronger rules for children’s data, increases transparency around automated decision systems, and creates a new regulator. The bill also confront two of the most urgent AI-era problems: deepfakes and surveillance pricing.


Canada finally acts on AI harm

Canada’s private-sector privacy law has long been criticized as outdated in a world of large-scale behavioural tracking, automated decision-making, and AI-fuelled commercialization of personal information. Bill C-36 is intended to modernize Canada’s private-sector privacy framework in response to a rapidly changing digital environment.

Although Canada has made earlier (unsuccessful) attempts at privacy law reform, including under Bill C-11 and Bill C-27, the timing of Bill C-36 reveals how long government has allowed harmful uses of data, identity, and algorithmic power to grow before stepping in.

This begs the question: Is Ottawa actually getting ahead of AI-enabled harm, or is it responding only after the damage has become politically visible and commercially entrenched?


What Bill C-36 does

On June 15, 2026, the federal government announced Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA). If passed, the bill would recognize privacy as a fundamental right, treat children’s personal information as especially sensitive, strengthen meaningful consent, require greater transparency around automated decision systems, support data mobility, permit individuals to request deletion or disposal of personal information in certain circumstances, and replace Part 1 the Personal Information Protection and Electronic Documents Act—Canada's existing privacy legislation.

Bill C-36 expands the earlier Digital Safety Commission from Bill C-34, tabled only five days prior on June 10, into the Digital Safety and Data Protection Commission of Canada, with responsibility for both online-safety obligations and private-sector data protection. The bill also creates a Privacy and Consumer Data Commissioner within that framework and gives the regulator unfettered enforcement powers, including audits, compliance orders, administrative monetary penalties of up to $10 million or 3% of global revenue, and, for the most serious offences, fines of up to $25 million or 5% of global revenue.

This shift effectively consolidates digital enforcement powers in a single five-member body, removing private-sector privacy oversight from the Privacy Commissioner’s jurisdiction, and folding it into the same government-created super-regulator also tasked with policing online harms. This raises questions as to whether the Digital Safety and Data Protection Commission is truly an independent body.

AI now, privacy reform later

Bill C-36 was introduced alongside AI for All, Canada’s National Artificial Intelligence Strategy (AI Strategy), launched on June 4 with a clear mandate to accelerate adoption, expand compute capacity, support large-scale data centres, and make AI more commercially acceptable to the public. Incidentally, the PPCDA falls under one of the AI Strategy’s core pillars, which situates a privacy law reform bill inside a much larger push to normalize AI deployment rather than constrain it.

That framing exposes the government’s underlying logic: promise jobs and economic growth, accelerate adoption, and then use privacy reform to reassure the public that the system will be safe enough to trust—even in the absence of a fully developed, economy-wide framework for private-sector AI governance. When the government leverages legislative proposals to legitimize a broader commercialization agenda rather than to interrogate it, that logic becomes harder to accept at face value.

To its credit, Bill C-36 does seek to strengthen privacy rights, but its introduction alongside a nationwide push for AI adoption raises serious questions about accountability, design, and commercialization. The real issue is whether the bill will genuinely enact regulations to make widespread AI use safe, or whether it’s introduction is a smokescreen to make the AI Strategy more politically defensible without confronting the power, profit, and risk structures that provoked it.

Deepfakes: new urgency, old harm

The timing issue

One of the most attention-grabbing aspects of Bill C-36 is its treatment of deepfakes. Media coverage of the bill highlights statements from Evan Solomon, Minister of Artificial Intelligence and Digital Innovation, that Canadians should be able to request deletion of AI deepfakes and that new privacy powers will help tackle image-based abuse and the misuse of personal data in synthetic content. In that framing, the bill sounds like a timely answer to an emerging technological threat.

But that rhetoric glosses over the fact that these harms were visible and largely unaddressed long before the current wave of AI innovation. For years, women and girls were have been victimized by photoshopped nudes, face‑swapped pornography, and other manipulated sexual images created using older editing tools and circulated without consent. The tools were less sophisticated, but the damage was the same: reputational ruin, extortion, harassment, bullying, loss of safety at home, school and work. AI has simply made it cheaper, faster, and harder to trace.

Bill C-36 may open new avenues for deletion, oversight, and enforcement, but its timing follows a familiar pattern: the government tolerates harm for years and only legislates after technology has industrialized the abuse—not when survivors first demanded protection.

By contrast, the UK made image-based abuse, commonly referred to as “revenge porn,” a criminal offence through the Online Safety Act 2023, and it has since gone further by criminalizing the creation and sharing of sexually explicit deepfakes. In the United States, Paris Hilton has publicly backed federal anti-deepfake efforts, including by supporting legislation such as the DEFIANCE Act (Disrupt Explicit Forged Images and Non-Consensual Edits Act) enacted earlier this year, which gives victims of non-consensual deepfake pornography a civil remedy against those who create or distribute it.

Against that backdrop, Canada’s approach looks less like genuine leadership and more like a delayed attempt to catch up with harms other jurisdictions have already taken steps to regulate.

The structural problem

Beyond the government’s reactive approach lies a deeper structural problem. When AI Minister Solomon speaks publicly about deepfake harm, the emphasis is usually on punishing the individual who generates or circulates the content. That instinct is understandable, but it misses the more important point: the system was capable of producing the fake in the first place.

If an AI model can generate non-consensual or otherwise obviously abusive synthetic content on demand, then the harm did not begin with the end user. It began with an inappropriate product feature, a safety failure, or a commercial decision not to constrain predictable misuse at the development stage. In that sense, the harm was technically avoidable: a model with robust guardrails could have refused the prompt, blocked the output, and prevented the deepfake from ever existing, let alone circulating.

The problem is that most of the government’s regulatory response still targets users, platforms, and retail-level misuse, not the companies that design and deploy these AI systems. A regime that punishes only downstream actors risks treating AI harm as a misuse problem rather than a system-design problem.

By focusing on AI users, Ottawa is signalling its preference to police the symptoms rather than the source of the risk while leaving system design choices and core commercial incentives largely intact. That allows AI developers to externalize the consequences of their own choices and products, even where the harm was foreseeable and preventable.

Surveillance pricing: finally named, but not fully defined

On the economic side of consumer protections, Bill C-36 is intended to ensure personal information is used responsibly and address the use of personal information in unfair pricing practices such as inappropriate surveillance or algorithmic pricing.

The basic concern is straightforward: companies use behavioural data, browsing history, device signals, location tracking, or purchasing patterns to infer what a particular person is willing to pay and then quietly tailor prices accordingly. In other words, retailers use personal data to charge different consumers different prices for the the exact same items.

AI Minister Solomon has stated publicly that companies should not be allowed to exploit a person’s vulnerabilities or private information to charge unfair prices, particularly where those data-driven inferences are being weaponized against consumers.

While that claim sounds decisive, “surveillance pricing” is not defined in any detailed terms in the bill itself. Instead, the bill still relies on future regulator guidance to determine how the practice will be treated. In practical terms, this means the real rules may still be years away, even though surveillance pricing is already technologically feasible and commercially attractive in concentrated digital markets. If the law condemns the practice in principle but delays the actual rules, consumers remain vulnerable to corporate price gouging tactics while businesses are left with confusing messaging in place of legislative clarity.

That delay is especially difficult to justify when, federally, the government is only now attempting to confront a problem critics say should have been addressed much earlier. However, in response to motions and bills tabled by NDP and Liberal opposition leaders, Doug Ford’s Ontario PC government has openly voted against banning the practice online and in retail stores, siding with corporate retailers and tech companies as Canadians face growing exposure to data-driven price discrimination. In that context, the federal government is at least attempting to act, whereas Ontario has chosen to forego stronger consumer protections in favour of the status quo.

Ottawa is stronger on symbolism than speed

Bill C-36 undeniably contains reforms that many privacy lawyers and advocates have wanted for years, particularly stronger enforcement and more explicit rights language. But the bill still leaves core issues unresolved.

Canadian law professor Michael Geist argues that even if Bill C-36 contains meaningful new rights and powers, the path to implementation is so long and layered that substantive reform may not take effect until 2030 or later. The Canadian Civil Liberties Association goes further, arguing that the bill’s recognition of privacy as a “fundamental right” is undermined by broad business exceptions, permissive treatment of de-identified data, and weak constraints on AI systems despite well-documented harm.

Those critiques speak to the government’s credibility in the wider context of the AI Strategy. Bill C-36 makes ambitious promises to Canadians without answering key questions on implementation, instead relying too heavily on future guidance while preserving broad room for commercial exploitation under the banner of responsible innovation.

For businesses, that creates uncertainty. For individuals, it creates a familiar concern that the rhetoric of rights may arrive faster than the practical ability to enforce them. In all cases, it creates a material erosion of trust.

Regulating after harm scales is a dangerous play

The government’s largely reactive model of digital regulation highlights a major procedural concern. Deepfakes are taken seriously once they become faster and more scalable. Surveillance pricing is addressed once personalized extraction becomes a visible political issue. Privacy reform becomes urgent once AI adoption is already being aggressively promoted as a national economic priority.

That sequencing means the law is still arriving after the market has already moved, the harms have already matured, and businesses have already built incentives around practices that may later be called abusive or outlawed. This exemplifies how Canadian digital regulation often trails commercialization rather than shaping it at the source.

A more preventive model would ask harder questions earlier. It would not only create deletion rights after a deepfake exists; it would also examine whether companies that build or deploy systems capable of producing obvious non-consensual abuse should face direct design-based duties. It would not just criticize surveillance pricing once it becomes headline-worthy; it would clearly regulate the collection, inference, and monetization practices that make this exploitive corporate practice possible in the first place.

The final takeaway

Bill C-36 may become the most important federal privacy reform Canada has seen in decades, and it signals that Ottawa understands public trust is essential if AI adoption is going to expand. But the bill also exposes a recurring weakness in Canada’s digital-policy playbook: government often steps in only after harmful practices have become normalized, scalable, and politically impossible to ignore. Even then, the substantive law is delegated to regulations that do not yet exist.

Deepfakes and surveillance pricing are powerful examples of AI harm that impact us directly. One attacks dignity, identity, and safety. The other targets consumers through inference, profiling, and individualized extraction. Bill C-36 finally names both.

But why has it taken Canada this long—and is naming them really enough to protect Canadians against the AI risks of today?


Need help understanding the intricate contracts that govern your creative work, or want to build a strategy for IP protection? Diverge Legal is here to help.

If you’re ready for representation that understands the difference between a data point and your dream, contact Diverge today.


Read these next


More about DIVERGE

Diverge is not just a legal service provider. We’re your partner in building a legally sound and sustainable content creation business. We understand the unique challenges creators face and offer tailored solutions to protect your intellectual property, ensure regulatory compliance, and minimize legal risks.

Whether you’re an established influencer or an emerging creator, Diverge is here to help you focus on what you do best, while we take care of the legal complexities.

Reach out to Diverge today to learn more about how we can support your content creation journey.

Follow @diverge.legal on social media or subscribe to our newsletter below for more tips on protecting your creative rights and thriving in the creator economy.


Important Notice: The information in this article is provided for general informational purposes only and is not intended as legal advice. Reading this content does not create a lawyer-client relationship. Always seek professional legal counsel tailored to your specific situation. No part of this article may be reproduced or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, or stored in any retrieval system of any nature, without the express written permission of Diverge Legal.

Marli Kicz (B.A, LL.B, LL.M)

Founder and Managing Lawyer @ Kicz Legal Professional Corporation (dba Diverge Legal) –Business, Contracts, Entertainment, & IP (former BigLaw attorney, dual-licensed ON & UK)

https://divergelegal.com/about#lawyer
Next
Next

Bill C-34: Canada’s Online Safety Act is Thin on AI Governance