Watch the North: Canada’s Proposed Legislative Overhaul Has Cross-Border Implications

8 Min Read By: Lisa R. Lifshitz, Laura Crimi

In Brief

  • Bills C-34 and C-36, introduced in June 2026, represent Canada’s most comprehensive effort to regulate online harms, AI chatbot services, and private-sector data privacy in over two decades.
  • Both bills impose substantial administrative monetary penalties tied to gross global revenue—up to $10–20 million or 3–5 percent of worldwide earnings—extending significant financial exposure to entities with even minimal Canadian operations.
  • Bill C-34’s Digital Safety Act imposes binding duties on social media platforms, AI chatbots, and other online services to protect children, remove harmful content expeditiously, and maintain transparent digital safety plans subject to regulatory oversight.
  • Bill C-36’s proposed privacy amendments to Canada’s existing federal private sector act elevate privacy to a fundamental right, mandate enhanced transparency around automated decision-making, and designate children’s personal information as sensitive by default. Enforcement will be consolidated in a new regulator, the Digital Safety Commission of Canada.
  • U.S. companies with any Canadian dimension should assess their risk exposure under both bills in parallel, consider necessary compliance measures as recommended by Canadian legal counsel, and keep a watchful eye as Bill C-34 and Bill C-36 move through the legislative process.

Over the span of a single week in June 2026, the Canadian government advanced significant new legislation to regulate online harms and modernize its national privacy regime. Coupled together, the changes brought forward by Bills C-34 and C-36 represent a significant modernization of Canada’s regulation of the internet and artificial intelligence (“AI”).

On June 10, 2026, Bill C-34, an Act to enact the Digital Safety Act and the Digital Safety Commission of Canada Act and to make consequential amendments to other Acts (Bill C-34”), billed as Canada’s most sweeping and comprehensive statutory framework for online safety to date, was tabled in the Canadian legislature. Bill C-34 puts social media companies, AI chatbot providers, and a range of online services on notice of incoming regulations. Five days later, on June 15, 2026, the Minister of Artificial Intelligence and Digital Innovation tabled Bill C-36, an Act to enact the Protecting Privacy and Consumer Data Act, to amend the Personal Information Protection and Electronic Documents Act and to make amendments to other Acts (“Bill C-36”). Bill C-36 is a proposed overhaul of the Canadian private-sector privacy regime, which is the most significant modernization of Canada’s privacy framework in more than twenty years. One bill governs online content and conduct; the other governs privacy and data. Together, if enacted, Bills C-34 and Bill C-36 would create new federal regulators, regulate online activity, and introduce significant administrative monetary penalties for noncompliance.

Neither Bill C-34 or Bill C-36 is law, yet. Each has cleared only the first reading in the House of Commons and must still move through the House and the Senate, and receive Royal Assent. For U.S. attorneys with clients that operate in Canada, collect data from Canadians, or otherwise run digital platforms that are accessible north of the border, the time to scope exposure is now.

Bill C-34: Regulating the Internet

Bill C-34 would enact two statutes: the Digital Safety Act (“DSA”) and the Digital Safety Commission of Canada Act (“DSCCA”). Together, they would create a framework of binding duties, new enforcement mechanisms, and significant financial penalties for noncompliance. The bill is a revamped version of Bill C-63, the Online Harms Act, which was introduced in 2024 but never became law.

The proposed Bill C-34 regime reaches well beyond conventional social media. The DSA would apply to three categories of regulated services accessible in Canada: social media services, AI chatbot services, and other online services. The third category is engaged only where the government is satisfied the service in question poses a significant risk of harm to children.

The DSA will primarily target seven types of harmful content, specifically the following:

  • intimate content communicated without consent (including deepfakes)
  • content that sexually victimizes a child or revictimizes a survivor
  • content that induces a child to harm themselves
  • content used to bully a child
  • content that foments hatred
  • content that incites violence
  • terrorism or violent extremism content

Further, the DSA imposes four primary duties. First, the DSA introduces the duty to protect children, which applies to every regulated service. Operators must implement design features for a safer minor experience, apply age verification or estimation to limit children’s exposure to pornographic content, and keep compliance records. Social media faces the most stringent version: a minimum account age of sixteen absent an exemption based on sufficient safeguards. Secondly, the DSA imposes a duty to act responsibly, which requires social media and AI chatbot operators to reduce users’ exposure to harmful content. Online platforms must label synthetically generated material, including AI audio or video that could be mistaken for real recordings, and give users tools to flag content and block other users. AI chatbots are additionally prohibited from four behaviors, including pretending to be human, impersonating licensed professionals, using manipulative techniques to foster unhealthy emotional dependencies, and encouraging self-harm or suicide. Thirdly, the DSA establishes a duty to make content inaccessible, which requires social media services to remove child sexual abuse material and nonconsensual intimate images (deepfakes included) within twenty-four hours. And finally, the DSA creates a duty of transparency, which requires every regulated service to publish a digital safety plan, a public-facing disclosure the regulator will assess.

Enforcement of the DSA under Bill C-34 will fall to the new DSCCA. The DSCCA is authorized to set standards and issue guidance, audit safety plans, hold hearings, compel testimony and documents, issue compliance orders enforceable as Canadian Federal Court judgements, and administer user complaints. The financial risk of noncompliance with the new DSA is substantial: maximum offense fines on conviction are the greater of $20 million or 5 percent of gross global revenue, and administrative monetary penalties levied by the DSCCA are the greater of $10 million or 3 percent of gross global revenue. Operational detail will follow in regulations, which are to be prepublished in the Canada Gazette with an opportunity for public commentary.

Bill C-36: The Privacy Reset

Bill C-36 seeks to enact the Protecting Privacy and Consumer Data Act (“PPCDA”), replacing key provisions of the existing federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). The PPCDA is designed to strengthen protection of Canadians’ personal information in a data-driven economy shaped by AI and automated decision-making and follows two earlier failed efforts: Bill C-11 (2020) and Bill C-27 (2022). Bill C-27 (2022) was designed to replace PIPEDA with the new Consumer Privacy Protection Act (“CPPA”) and regulate AI—but died on the Order Paper when Canada’s Parliament was prorogued in January 2025.

Bill C-36 expressly recognizes privacy as a “fundamental right” and expands individual control over personal information, including rights of access, correction, deletion, and data mobility—each backed by a structured compliance process that organizations must follow when responding to a request. It imposes more rules-based governance obligations, requiring businesses to maintain mandatory privacy management programs with documented policies, safeguards, complaint processes, and assigned compliance responsibility. In short, it creates auditable structures capable of demonstrating compliance on demand.

Two features of Bill C-36 warrant particular attention. First, the proposed bill heightens transparency around automated decision-making such that organizations would have to disclose their use of such systems, provide individuals with explanations, and offer a means to challenge decisions. Secondly, Bill C-36 also designates children’s personal information as sensitive by default, triggering heightened safeguards and stricter limits on its collection, use, retention, and disclosure.

Notably, Bill C-36 departs from its predecessor Bill C-27 by dropping the proposed AI-specific framework and focusing exclusively on privacy modernization. Enforcement is consolidated in a new regulator, the DSCCA, armed with the binding order-making power and administrative penalties for noncompliance with either PPCDA or PIPEDA reaching the greater of $10 million or 3 percent of gross annual global revenue. The cumulative effect of the changes proposed by Bill C-36 is movement towards a rights-based framework backed by stronger enforcement, with particular attention to automated decision-making, cross-border data transfer, and children’s data.

Why U.S. Counsel Should Be Paying Attention (Now)

For U.S. practitioners, what matters most is not the mechanics of either bill but what the two signal together and how far their reach extends.

The penalties follow global revenue, not a Canadian footprint. Consistent with certain global trends, both Bills C-34 and C-36 size their maximum penalties against a percentage of gross global revenue. A company’s exposure is therefore not bounded by the scale of its Canadian operations. Even a small Canadian presence can expose a company to a penalty measured against its worldwide revenue. For any client with meaningful global revenue coupled with a limited Canadian nexus, that asymmetry is the central risk to flag to clients.

This is not exclusively a social media or “tech company” issue. Bill C-34 turns on whether a service is accessible in Canada. This is a threshold that can capture platforms with no Canadian establishment and no deliberate Canadian targeting. If a U.S. client operates an online service through which Canadians interact, share, or create content, it could fall within the scope of Bill C-34. In turn, Bill C-36 governs the handling of Canadians’ personal information across the data life cycle, with express attention to cross-border transfers. U.S.-based entities that may not be traditionally seen as “operating in Canada” may nonetheless be within scope.

The exposure clusters where clients are already concentrated. U.S. companies that own, host and operate AI chatbots should be on particular alert given this new prospective legislation. Canadian law has rarely regulated chatbots head-on, and the DSA would be among the first statutes to place binding safety duties directly on their operators. Automated decision-making draws new Bill C-36 duties to disclose its use and let individuals challenge the resulting decisions. Children’s data attracts heightened treatment under both bills, bringing Canada closer in line to other counties, including the United States and Australia, that have previously focused more on the protection of children. Organizations with AI-facing products, consumer platforms, or services used by minors run the risk of the most acute exposure.

Next steps. Internet businesses with any Canadian dimension—ranging from operations, users, data, or platforms accessible to Canadians—should assess their risk exposure under both bills in parallel, consider necessary compliance measures as recommended by Canadian legal counsel, and keep a watchful eye as Bill C-34 and Bill C-36 move through the legislative process. Canada’s digital rulebook is being rewritten, and attention by U.S. attorneys is critical to ensure ongoing success for U.S. business.

MORE FROM THESE AUTHORS

Connect with a global network of over 30,000 business law professionals

18264

Login or Registration Required

You need to be logged in to complete that action.

Register/Login