Bill C-36 (PPCDA): Canada's New Privacy Law Lets Customers Sue You Directly

How enforcement worked under PIPEDA

Under PIPEDA, a person who believed an organization mishandled their personal information could file a complaint with the Office of the Privacy Commissioner. The OPC would investigate. If it found a contravention, it could make recommendations to the organization.

If the organization refused to follow the recommendations, the OPC could apply to Federal Court to compel compliance. Federal Court could also award damages. But referral to Federal Court was rare. The OPC had no power to impose financial penalties. Individuals could not initiate the court process themselves — they had to wait for the OPC to act.

The practical result: an organization that received a complaint finding and ignored it faced limited and infrequent consequences.

---

What section 132 of the PPCDA changes

After the Commission issues a confirmed contravention finding, affected individuals can sue the organization for damages in Federal Court or a provincial superior court.

The organization now faces two parallel exposures after a confirmed finding:

1. Administrative monetary penalties from the Commission — up to $10,000,000 or 3% of gross global revenue, whichever is greater (section 114 of the PPCDA)
2. Civil damages claims from affected individuals (section 132)

Those two exposures are not mutually exclusive. Both can arise from the same finding.

---

The process under Bill C-36

Civil liability under section 132 requires a prior finding. The sequence is:

1. Individual files a complaint with the Digital Safety and Data Protection Commission
2. The Privacy and Consumer Data Commissioner investigates
3. The Commission issues a finding — contravention confirmed or not
4. If contravention confirmed: the individual can commence a civil action in Federal Court or a provincial superior court

Individuals cannot bypass the Commission and go directly to court. But once a finding confirming a contravention is issued, the door to civil litigation opens.

---

What this means for a small business

Under PIPEDA, privacy compliance felt like a regulatory risk — the kind that stays in the background because the probability of enforcement was low and the consequences of a complaint finding were limited.

Bill C-36 and the PPCDA change that risk structure. A confirmed contravention finding opens the door to civil suits from every individual whose personal information was involved. A breach that affects 200 customers — a ransomware attack where client records were exposed, a phishing incident where an employee's email account gave access to a contact database — could, if a contravention is confirmed, expose the organization to civil claims from all 200 of them.

The individual damages claim for any one person may be modest. The cost of defending multiple actions — and the aggregate exposure — is not.

---

What makes a contravention finding more likely

Failure to notify when required. Section 58 of the PPCDA requires notification to the Commission and to affected individuals when a breach creates a real risk of significant harm. Failing to notify when the RROSH threshold was met is a clear contravention.

No documented RROSH assessment. If the organization cannot show that it assessed real risk of significant harm at the time of the breach — in writing, using the statutory factors — the argument that notification was not required is hard to sustain. The Commission will look for documentation made at the time, not a retrospective explanation filed after a complaint arrives.

No privacy management program. Section 9 of the PPCDA makes a documented program mandatory. An organization with no program is in contravention of section 9 independently of any breach. The Commission can find that contravention proactively — without waiting for an incident.

Sensitive categories of personal information. Health, financial, and identity information carry higher inherent risk. Breaches involving these categories are more likely to meet the RROSH threshold and more likely to produce demonstrable individual harm — which makes both the contravention finding and the subsequent damages claim more viable.

---

What lowers the exposure

The organizations with the lowest exposure under section 132 share one practice: they document their breach decisions at the time the decision is made.

That means:

• Every breach is assessed for real risk of significant harm in writing, using the actual factors from section 58(8) of the PPCDA, at the time the breach is discovered
• If the assessment concludes RROSH is present, notification happens and is documented
• If the assessment concludes RROSH is not present, the reasoning is documented — not reconstructed after a complaint arrives
• Breach records are maintained as required by section 60

This is not a sophisticated compliance program. It is a documented decision-making process applied consistently to every breach, regardless of how minor it appears at first. The organizations most exposed to section 132 liability are those that make informal breach decisions verbally, without documentation, and without applying the statutory factors.

---

Scope note

This article covers the PPCDA (Bill C-36), which applies to private-sector organizations engaged in inter-provincial or international commercial activity. Quebec organizations primarily engaged in intra-provincial commercial activity are governed by Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), which has its own civil liability provisions. Quebec obligations are not covered here.

---

What to do now

The PPCDA is not yet law. PIPEDA remains operative. But the section 132 risk is reason to build the documentation practices now — because the breach decisions you make today will be the evidentiary record if a complaint is filed after the PPCDA comes into force.

Three practices that make the largest difference:

1. Assess every breach for RROSH in writing, using the statutory factors. Not every breach requires notification. Every breach requires a documented assessment. That assessment is the primary protection against a finding that notification was required and withheld.

2. Maintain breach records. Section 60 of the PPCDA requires it — and PIPEDA's equivalent requires it now. Every breach, every assessment, every notification decision belongs in the record.

3. Build your privacy management program before the PPCDA comes into force. An organization with a documented, functional program is substantially harder to find in contravention under section 9. And a section 9 contravention is one of the bases that opens the door to section 132 civil actions.

---

Related guides

• What Is Bill C-36? Canada's New Privacy Law for Small Businesses
• What Is RROSH? The Real Risk of Significant Harm Standard Explained
• PIPEDA Breach Reporting Requirements
• What Is a Privacy Management Program Under Bill C-36 (PPCDA)?
• Legitimate Interest Under Bill C-36 (PPCDA)

---

Start your breach assessment

The breach assessment process — documenting RROSH, deciding whether to notify, maintaining the breach record — is the most direct protection against a contravention finding under the PPCDA.

Start your breach assessment →

Privacy Management Program assessment coming soon. A documented program reduces exposure to section 9 contraventions that open the door to section 132 civil suits. Notify me when available →