Bill C-27 and the CPPA: the status of federal privacy reform

Last reviewed 2026-06-29 · Status changes — verify current status before relying on this. Not legal advice.

For several years, Canadian privacy reform was synonymous with one bill: Bill C-27, the Digital Charter Implementation Act, 2022. It promised to replace the private-sector half of PIPEDA, give the Privacy Commissioner real teeth, and regulate artificial intelligence for the first time. It did none of those things — because it never became law. This page explains what was proposed, what happened to it, and what actually governs you today. You can review the bill's full legislative history on Parliament's tracker: Bill C-27 on LEGISinfo.

What Bill C-27 proposed

Bill C-27 bundled three pieces of legislation into one bill:

• The Consumer Privacy Protection Act (CPPA) — would have repealed and replaced Part 1 of PIPEDA, modernizing consent, adding data-mobility and disposal rights, and — critically — empowering the Office of the Privacy Commissioner to order organizations to comply and to recommend administrative monetary penalties, a power the Commissioner does not have under PIPEDA today.
• The Personal Information and Data Protection Tribunal Act — would have created a new tribunal to review the Commissioner's decisions and impose the penalties the CPPA contemplated.
• The Artificial Intelligence and Data Act (AIDA) — would have been Canada's first federal framework for regulating "high-impact" AI systems in the private sector.

Taken together, it was the most significant proposed overhaul of Canadian privacy law in two decades. None of it is in force.

Why it stalled — the timeline

Bill C-27 was introduced in June 2022 and reached detailed clause-by-clause study at the House of Commons Standing Committee on Industry and Technology, where it remained when Parliament was prorogued in January 2025. Prorogation ends a parliamentary session and terminates every bill that has not yet received Royal Assent — so C-27 died on the Order Paper at committee, never having passed the House. A federal election followed in April 2025, and the bill was not reintroduced in the same form. Public statements from the government later in 2025 signalled that privacy and AI reform would be reconsidered and reshaped rather than the CPPA and AIDA simply being re-tabled as written.

What this means right now

The practical takeaway is simple: build to the law that is actually in force. Federally, that is still PIPEDA — read in full at the Department of Justice: Personal Information Protection and Electronic Documents Act. The enforcement gaps C-27 was meant to close — no order-making power, no administrative monetary penalties from the Commissioner — remain features of the current regime.

But there is a higher bar already operating in Canada: Quebec's Law 25 is fully in force, carries substantial fines, and imposes obligations — privacy impact assessments, transfer assessments, a person-in-charge, a confidentiality-incident register — that look a lot like where federal reform was heading. Organizations that build to PIPEDA and Law 25 are, in effect, already preparing for whatever the next federal bill turns out to contain. Working out which of these laws governs you is the first step; our guide to federal vs provincial privacy law walks it through.

What might come next

Federal privacy reform has not been abandoned — it has been reset. A future bill is likely to revisit the same themes C-27 raised: stronger enforcement powers for the Privacy Commissioner, modernized consent, and some form of AI regulation. The shape and timing are not settled, and this page does not speculate on them. Because the status can change, treat the review date at the top as the as-of point and confirm the current state of any bill on LEGISinfo before relying on it. In the meantime, the privacy-law hub covers every statute that governs you today.