Protecting Privacy and Consumer Data Act would reshape how employers handle employee information, deploy AI in hiring and transfer data abroad
Canadian employers will face new rules on how they collect employee information, deploy AI in hiring and move personal data outside the country under a new legislation.
Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA) – tabled June 15, 2026 – recasts privacy as a fundamental right and exposes organisations to fines of up to $25 million or 5% of global revenue.
Evan Solomon, Minister of Artificial Intelligence and Digital Innovation, announced the bill in Ottawa. Innovation, Science and Economic Development Canada (ISED) calls it a modernisation of a private-sector privacy law it says is more than 25 years old and predates AI at scale and algorithmic decision making.
The PPCDA would "require meaningful consent for the use of personal information and plain-language explanations for how personal information is handled," ISED says — a test for the dense notices many employers embed in onboarding and HR systems.
It would also create a right to deletion, raising operational questions for retention schedules, departed-employee records and databases of unsuccessful candidates.
AI hiring and automated decisions
The provision most relevant to recruitment requires that "organizations are transparent about their use of automated decision making for significant decisions about individuals," per ISED — language that covers resume screening, candidate ranking and automated scheduling.
Employers would need to explain, in plain terms, when an algorithm shapes a consequential employment decision — a shift for organisations that adopted AI hiring tools quickly and understand their vendors' models only loosely.
ISED frames the bill as a cornerstone of Canada's National Artificial Intelligence Strategy: AI for All, tying privacy compliance and responsible-AI governance into a single oversight task for HR.
North America is one of the most complex regions for compliant employment. Multiplier describes it as running on “overlapping rules that vary across states and provinces,” with professional employer organisation rules and worker‑classification laws that can turn “small missteps” into costly problems.
Cross-border data, enforcement and timing
PPCDA would require risk assessments before personal information is transferred outside Canada, affecting the many payroll providers, HR information systems and benefits platforms hosted abroad. Employers may need to map their cross-border data flows. ISED says the legislation would also support data mobility, letting individuals move their information between organisations where a framework applies.
A new arm's-length Digital Safety and Data Protection Commission of Canada would enforce the law through binding orders, with penalties of up to $10 million or 3% of global revenue, and fines of up to $25 million or 5% for the most serious offences.
The PPCDA is tabled legislation, not law, and the release specifies no coming-into-force date; its details could change in committee study. Solomon said it would "give Canadians more control over their personal information, strengthen protections for children and give businesses clearer rules to innovate responsibly." HR teams can begin now by inventorying employee data, reviewing AI hiring tools and confirming where employee records are stored.
