Canada Proposes Major Reforms to Federal Laws Governing Privacy, AI Chatbots and Other Online Services

• Home
• Insights
• Publications
• Canada Proposes Major Reforms to Federal Laws Governing Privacy,...

Canada Proposes Major Reforms to Federal Laws Governing Privacy, AI Chatbots and Other Online Services

Canada's federal government recently launched AI for All, a new national artificial intelligence ("AI") strategy designed to increase AI innovation and adoption in Canada (the "AI Strategy").

As part of the AI Strategy, the government committed to taking steps to protect Canadians from the risks and harms of AI, including by modernizing relevant laws, introducing an online safety regime to protect social media and chatbot users, and improving AI transparency.[1]

The federal government has quickly put this priority into action, releasing a flurry of proposed new legislation governing privacy and certain online services which, if passed, will have far-reaching implications for businesses that operate in Canada or offer their products and services to Canadians.

Regulation of Social Media, AI Chatbots and other Online Services

Countries around the world are grappling with potential harms that individuals may suffer as a result of the proliferation of information (and misinformation) on the internet. Canada has now joined the ranks of governments that are seeking to address such harms, especially the potential impact on children and youth.

Specifically, on June 10, 2026, the Government of Canada tabled Bill C-34, the Safe Social Media Act, which, if passed, will enact two new statutes - i.e., the Digital Safety Act and the Digital Safety Commission of Canada Act, in addition to making consequential amendments to several other federal statutes.

The purposes of the Digital Safety Act, as stated in section 14, include:

• promoting the safety of persons in Canada;
• protecting the physical and mental health of children;
• mitigating the risk that persons in Canada will be exposed to harmful online content, and reducing harms caused by such content;
• enabling persons in Canada to participate in public discourse and exercise their freedom of expression online;
• enabling persons in Canada to benefit from chatbot services while reducing risk of harm;
• making content that sexually victimizes a child, revictimizes a survivor, and intimate content communicated without consent, inaccessible online;
• requiring transparency and accountability by operators that provide regulated online services; and
• contributing to online safety standards.

The Digital Safety Act would apply to certain social media services, AI-powered chatbot services, and other online services that have a certain minimum number of users or pose a significant risk of harm to children in Canada.

Importantly, the Act does not apply to all social media, chatbot or other online services. Rather, the service must have a certain, minimum, number of users that will be set out in regulations to the Act, or otherwise be designated as a regulated service in the regulations (which are not yet available). Accordingly, it is not yet possible for an organization to definitively determine whether it will be subject to this newly proposed legislation. However, some existing and massively popular social media and chatbot services should expect that they will meet the criteria, once defined.

It is also important to note that the Digital Safety Act expressly provides that online services do not include websites and applications where the primary purpose is to: (i) facilitate the sale listing or advertisement of goods or services; or (ii) provide directories, search results, maps or navigation tools.

The Digital Safety Act defines seven categories of "harmful content", which include: "(a) intimate content communicated without consent; (b) content that sexually victimizes a child or revictimizes a survivor; (c) content that induces a child to harm themselves; (d) content used to bully a child; (e) content that foments hatred; (f) content that incites violence; and (g) terrorism or violent extremism content."[2] Each of these categories of harmful content is also specifically defined in the Act.

Operators of regulated services will be subject to a number of obligations under the Digital Safety Act, which depend to some extent on the type of service they provided, including as follows:

1. Obligations of social media services - Operators of regulated social media services must implement adequate measures to mitigate exposure to harmful content, provided certain user-blocking and content-flagging tools, label prescribed synthetic content (where reasonable), make user guidelines publicly available, designate a resource person for user concerns, and preserve certain violent or terrorism-related content for one year. Operators of regulated social media services must also submit digital safety plans to the Digital Safety Commission of Canada (the "Commission")[3] detailing, among other things, their risk assessments, mitigation measures, effectiveness indicators, content moderation data, and related research. These plans must be made publicly available, subject to limited exceptions. In addition, Operators of regulated social media services must make content that sexually victimizes a child or revictimizes a survivor, and intimate content communicated without consent, inaccessible to persons in Canada within 24 hours of identification or flagging (though this timeline may be extended by regulations).
2. Obligations of chatbot services - Operators of regulated chatbot services will be required to mitigate the risk of the service communicating harmful content, implement crisis-intervention measures (including immediate redirection to human-staffed crisis services), and mitigate harmful and deceptive behaviours such as encouraging self-harm or violence against others, impersonating humans including licensed professionals, or using manipulative engagement techniques to encourage users to form emotional attachments in a manner that may encourage social withdrawal or disconnection from reality. Similarly to social media services, chatbot services operators must also implement tools to enable flagging of harmful content, make user guidelines publicly available, submit digital safety plans to the Commission that include prescribed content, and designate a resource person for user concerns.
3. Obligations of other regulated online services - Operators of regulated online services that are not social media services or chatbot services, which are accessible in Canada over the Internet and allow users to interact with a website or application, will be required to submit digital safety plans to the Commission that include prescribed content.
4. Protection of Children - Operators of all regulated services must integrate prescribed child-safety design features and implement age-verification or age-estimation measures to restrict children's access to pornographic content. Regulated social media services are generally required to take certain steps designed to prevent persons under the age of 16 from holding accounts.

If passed, the Digital Safety Commission of Canada Act would establish the Commission as a new independent regulatory body composed of Governor in Council appointees. The Commission would be responsible for administering and enforcing the Digital Safety Act. It would also have broad enforcement powers, including the authority to issue compliance orders and impose administrative monetary penalties of up to the greater of CAD $10 million and 3% of gross global revenue for contraventions of the Digital Safety Act.

Furthermore, under the Digital Safety Act, certain offences carry fines of up to the greater of CAD $20 million and 5% of gross global revenue. In addition, where a social media user has exhausted the operator's internal processes with respect to a takedown request (after making best efforts), they may file a complaint with the Commission. The Commission may then order the content to be made permanently inaccessible.

Federal Privacy Reform - Third Time's a Charm?

Shortly after introducing Bill C-34, the federal government introduced Bill C-36, an Act to enact the Protecting Privacy and Consumer Data Act (PPCDA), to amend the Personal Information Protection and Electronic Documents Act and to make consequential and related amendments to other Acts.

If passed in its proposed form, Bill C-36 would create new federal private sector privacy legislation, the Protecting Privacy and Consumer Data Act (the "PPCDA"), replacing the privacy-related terms of the existing Personal Information Protection and Electronic Documents Act ("PIPEDA").

Observers of Canadian privacy law reform may be experiencing déjà vu. Two prior attempts to overhaul Canada's private sector privacy legislation died when each of the last federal elections were called.[4] This time, reform is tied to the specific goals set out in the AI Strategy. More specifically, the federal government views the passing of the PPCDA to be a "key element" in advancing the AI Strategy, noting that the modernization and strengthening of Canada's privacy laws is essential to mitigate privacy risks associated with the development and adoption of AI and other digital technologies and to foster public trust in their use.[5]

The PPCDA would represent the most significant change to Canada's private sector privacy legislation in more than two decades. Some key proposed changes include, without limitation:

1. Privacy as a Fundamental Right. The PPCDA would expressly recognize that individuals have a fundamental right of privacy with respect to their personal information.
2. New Consent Requirements and Exceptions. The PPCDA would require certain notices to be provided in plain language at or before the time of seeking an individual's consent to collect, use or disclose their personal information. However, in a development likely to be celebrated by businesses, the PPCDA would also introduce new exceptions to the requirement to obtain consent, including to allow an organization to collect and use an individual's personal information without their knowledge or consent for certain business activities, internal research, analysis and development purposes, or activities in which the organization has a legitimate interest, in each case subject to certain conditions and limitations.
3. Cross-Border Compliance Requirements. Unlike PIPEDA, the PPCDA would expressly address the cross-border processing of personal information by requiring an organization to carry out a privacy impact assessment and mitigate risks identified in the assessment before disclosing or transferring personal information outside of Canada.
4. Appropriateness Analysis. The PPCDA would go one step further than PIPEDA by setting out factors that must be considered in determining whether a purpose for and manner of collecting, using or disclosing personal information is appropriate, including, for example, the degree of effectiveness of the intended collection, use or disclosure of the personal information in meeting the organization's legitimate business needs and whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits.
5. Explainability of Automated Decision Systems. Under the PPCDA, an organization that uses an automated decision system to make a prediction, recommendation or decision (each a "Decision") about an individual that could have a legal or similarly significant effect on them would be required to provide, on request, an explanation of the Decision, as well as an opportunity for the individual to make written representations to an employee of the organization who can review the Decision.
6. Guardrails for Deidentification. While the PPCDA would allow an organization to use an individual's personal information to de-identify or anonymize that information without their knowledge or consent, it would also place certain obligations on organizations that use de-identified information, including to consider the risk of an individual being identified when applying technical and administrative measures to de-identified information.
7. Relief for Service Providers. Unlike PIPEDA, most provisions of the PPCDA would not apply to a service provider in respect of personal information that is transferred to it, unless the service provider collects, uses or discloses that information for a purpose other than the purposes for which the information was transferred. However, service providers will still need to safeguard the information they process, and notify the controlling organization of a breach of security safeguards.
8. New Data Subject Rights. In addition to the rights concerning automated decision systems set out above, the PPCDA would also introduce the right to request that one's personal information be disposed of or disclosed to another organization, in each case subject to certain conditions and exceptions.

Significantly, Bill C-36 would bolster enforcement mechanisms be providing for binding orders, as well as significant potential administrative penalties for contravening certain provisions of the PPCDA (e.g., up to the greater of $10 million CAD or 3% of the organization's gross global revenue in the prior fiscal year) and fines of up to the greater of $25 million CAD or 5% of global revenue for certain offences.

What to Expect

The Safe Social Media Act has already generated a lot of commentary, and some controversy, both from businesses and privacy advocates. On the other hand, with some notable exceptions, the proposed PPCDA is quite similar to the past two statutes proposed by the federal government to replace PIPEDA, which is widely considered to be outdated based on global developments in privacy law. Therefore, the three newly proposed statutes may not progress through the next stages of the legislative process at the same rate. However, with the Liberals gaining a majority government earlier this year, the likelihood that these laws will pass, in some form, is high.

McMillan will be closely monitoring the progress of Bills C-34 and C-36, as well as any additional legislative reform proposed in furtherance of Canada's AI Strategy. In the meantime, please contact the authors if you have any questions about how these proposed statutory reforms may impact your organization or would like to discuss steps your organization can take now to address existing Canadian requirements concerning privacy and/or online services.

[1] Prime Minister Carney launches AI for All: Canada's new national artificial intelligence strategy.
[2] Section 2(1).
[3] Note that the Digital Safety Commission of Canada Act establishes the Digital Safety Commission of Canada, but if passed, Bill C-36 would rename this commission as the Digital Safety and Data Protection Commission of Canada (emphasis added).
[4] For a brief history of these prior attempts at federal private sector privacy law reform, see our article here.
[5] Backgrounder: Government of Canada introduces legislation to Protect Canadians' Privacy in the Digital Age.

by Lyndsay Wasser, Professional Corporation and Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2026