A new federal bill would bind insurers and brokers to fresh privacy duties, with penalties reaching the greater of $10,000,000 or 3% of global revenue.
The federal government introduced Bill C-36 in the House of Commons on June 15, 2026, and it would change how insurance companies and brokers handle the personal information they collect every day. The bill, brought forward by the Minister of Artificial Intelligence and Digital Innovation, enacts the Protecting Privacy and Consumer Data Act. It repeals Part 1 of the Personal Information Protection and Electronic Documents Act and renames what remains of that statute the Electronic Documents Act.
The new Act applies to every organization that collects, uses or discloses personal information in the course of commercial activities. That includes insurers, brokers and the service providers they rely on. For the insurance business, one provision speaks directly to claims work: an organization may collect, use or disclose personal information contained in a witness statement, without the individual's knowledge or consent, when doing so is necessary to assess, process or settle an insurance claim.
Beyond claims, the bill sets out duties that touch most parts of an insurer's operation. Every organization must put in place a privacy management program covering its policies, practices and procedures. It must obtain valid consent before collecting personal information, except where the Act allows otherwise, and consent gained through false or misleading information is not valid. Security safeguards must match the sensitivity of the data held. When a breach creates a real risk of significant harm, the organization must report it to the new regulator and notify affected individuals as soon as feasible, and it must keep records of every breach. Before moving personal information outside Canada, an organization must carry out a privacy impact assessment.
The bill also addresses automated decision systems. If an organization uses such a system to make a prediction, recommendation or decision that could have a legal or similarly significant effect on a person, it must, on request, explain the type of information used, its source and the main factors behind the result.
To enforce the rules, the bill creates a Privacy and Consumer Data Commissioner, supported by a Commission and a Division. The Commissioner can investigate complaints, enter into compliance agreements, issue notices of contravention and carry out audits. The maximum administrative penalty for the contraventions found in a single investigation is the greater of $10,000,000 and 3% of the organization's gross global revenue. An organization that knowingly breaches certain provisions commits an indictable offence and faces a fine of up to the greater of $25,000,000 and 5% of gross global revenue. The Act also creates a private right of action, letting an affected individual sue an organization for damages once a contravention has been established by the Commissioner or the Federal Court, or after a conviction under the Act.
The full text of the bill is available at https://www.parl.ca/DocumentViewer/en/45-1/bill/C-36/first-reading.
The provisions take effect on a date set by order of the Governor in Council, so the timing will depend on a future order.
