Privacy Bill C-27 left in limbo as Trudeau resigns

January 15, 2025

Impact of parliamentary prorogation

Parliament’s prorogation has significant implications for all pending legislation, including Bill C-27. This sweeping privacy reform package was intended to replace the current Personal Information Protection and Electronic Documents Act (PIPEDA) and introduced the new Consumer Privacy Protection Act and the Artificial IntelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc. and Data Act (AIDA). These Acts have also now technically died along with all other Government bills that didn’t receive assent before the prorogation.

PIPEDA looks set to remain unchanged until at least 2026, leaving organisations to navigate an increasingly complex global privacy landscape with a framework that falls short on addressing AI risks and lags behind the stronger consumer protections abroad.

What happens next?

For Bill C-27 to have any chance of survival, it would need re-introducing in the next parliamentary session. But with a federal election looming no later than October 2025, the Bill’s future looks even more uncertain. Opposition parties could theoretically resurrect it but are more likely to focus their time and efforts on election strategy than supporting the current Government’s initiatives.

Eyes turn to the Provinces

However, according to Vance Lockton, Senior Technology Policy Advisor for the Office of the Privacy Commissioner of Canada, there is a potential silver lining. He points out that provincial privacy initiatives could gain momentum.

‘A couple of years ago, Ontario was considering a private sector privacy law, which was (arguably) forestalled by C-27. So those discussions could come back...Alberta’s also in the processA series of actions or steps taken in order to achieve a particular end. of reviewing its legislation, so that could get more traction.’

The impact on individuals and businesses

For individuals, the uncertainty surrounding Bill C-27 means personal dataInformation which relates to an identified or identifiable natural person. remains governed by outdated laws that are ill-equipped to address modern privacy risks. Compared to jurisdictions with more comprehensive consumer protections, Canadians could face fewer safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... and less control over their data, depending on future legislation.

For businesses operating in Canada, the legislative ambiguity around Bill C-27 creates some very real challenges:

Widening global disparity between Canadian privacy standards and international frameworks like the GDPR
Future planning for privacy compliance is increasingly difficult in an unpredictable regulatory landscape
Lack of clear guidance on implementing AI creates uncertainty in meeting emerging global standards
Adequacy with the EU risks being reconsidered, as it was previously assumed secure with the passage of C-27

Looking ahead

Ben Seretny, DPO and Head of DPOs at The DPO Centre has this advice for businesses:

‘Parliament’s return will, no doubt, clarify Bill C-27’s fate, but right now it’s future looks improbable. Though re-introduction is possible, securing its passage before the next federal election seems increasingly unlikely. For now, Canadian organisations would do well to stay nimble in their approach to privacy and AI compliance.’

Keep up to date on the latest privacy and data protection news, subscribe to our fortnightly newsletter, The DPIA.